Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2011.1135 A number of vulnerabilities have been identified in Drupal third-party modules 10 November 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Quiz (Drupal third-party module) CKEditor (Drupal third-party module) Webform CiviCRM Integration (Drupal third-party module) Publisher: Drupal Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade Comment: This bulletin contains three (3) security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- * Advisory ID: DRUPAL-SA-CONTRIB-2011-053 * Project: Quiz [1] (third-party module) * Version: 6.x * Date: 2011-November-09 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION --------------------------------------------------------- Quiz module allows the creation and taking of tests that are scored either automatically or manually by a teacher. The module contains several cross site scripting (XSS) vulnerabilities that can be exploited when quizzes are being created. These vulnerabilities are mitigated by the fact that an attacker must have the permission to create or edit quizzes. - -------- VERSIONS AFFECTED --------------------------------------------------- * Quiz 6.x-4.x versions prior to 6.x-4.3. Drupal core is not affected. If you do not use the contributed Quiz [3] module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Quiz module for Drupal 6.x, upgrade to quiz 6.x-4.3 [4] See also the Quiz [5] project page. - -------- REPORTED BY --------------------------------------------------------- * phdruplover [6] - -------- FIXED BY ------------------------------------------------------------ * sivaji [7] the module maintainer * falcon [8] the module maintainer - -------- COORDINATED BY ------------------------------------------------------ * Matt Kleve [9] of the Drupal Security Team - -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/quiz [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/quiz [4] http://drupal.org/node/1336756 [5] http://drupal.org/project/quiz [6] http://drupal.org/user/1505850 [7] http://drupal.org/user/328724 [8] http://drupal.org/user/530912 [9] http://drupal.org/user/150473 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2011-054 * Project: CKEditor - WYSIWYG HTML editor [1] (third-party module) * Version: 7.x * Date: 2011-November-09 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass - -------- DESCRIPTION --------------------------------------------------------- The CKEditor module allows Drupal to replace textarea fields with the CKEditor - a visual HTML editor, sometimes called WYSIWYG editor. The module doesn't protect private files appropriately. Private files can downloaded by anyone able to guess their URL. - -------- VERSIONS AFFECTED --------------------------------------------------- * CKEditor 7.x-1.4 version only Drupal core is not affected. If you do not use the contributed CKEditor - WYSIWYG HTML editor [3] module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * Upgrade to CKEditor 7.x-1.5 [4] See also the CKEditor - WYSIWYG HTML editor [5] project page. - -------- REPORTED BY --------------------------------------------------------- * Joel Walters [6] - -------- FIXED BY ------------------------------------------------------------ * Michal [7] the module maintainer - -------- COORDINATED BY ------------------------------------------------------ * Stéphane Corlosquet [8] of the Drupal Security Team - -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/ckeditor [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/ckeditor [4] http://drupal.org/node/1336272 [5] http://drupal.org/project/ckeditor [6] http://drupal.org/user/1052318 [7] http://drupal.org/user/922884 [8] http://drupal.org/user/52142 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2011-055 * Project: Webform CiviCRM Integration [1] (third-party module) * Version: 6.x, 7.x * Date: 2011-November-09 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, SQL Injection - -------- DESCRIPTION --------------------------------------------------------- The Webform CiviCRM Integration module extends the functionality of the Webform Module [3] to link form submissions with a CiviCRM [4] database. Version 2.0 of the module added form validation based on CiviCRM data type. A flaw in the implementation of this feature caused other validation handlers to fail, so the Webform would be able to be submitted even if required fields were left blank, etc. Version 2.1 fixed this issue, but implemented validation in such a way as to leave a possible opening for SQL injection. Both issues are now fixed in version 2.2. - -------- VERSIONS AFFECTED --------------------------------------------------- * Webform CiviCRM Integration prior to 6.x-2.2 * Webform CiviCRM Integration prior to 7.x-2.2 Drupal core is not affected. If you do not use the contributed Webform CiviCRM Integration [5] module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the module for Drupal 6.x, upgrade to Webform CiviCRM Integration 6.x-2.2 [6] * If you use the module for Drupal 7.x, upgrade to Webform CiviCRM Integration 7.x-2.2 [7] See also the Webform CiviCRM Integration [8] project page. - -------- REPORTED BY --------------------------------------------------------- * MichaÅ\x{130} Mach [9] - -------- FIXED BY ------------------------------------------------------------ * Coleman Watts [10] the module maintainer - -------- COORDINATED BY ------------------------------------------------------ * Stéphane Corlosquet [11] of the Drupal Security Team - -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/webform_civicrm [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/webform [4] http://civicrm.org [5] http://drupal.org/project/webform_civicrm [6] http://drupal.org/node/1336044 [7] http://drupal.org/node/1336046 [8] http://drupal.org/project/webform_civicrm [9] http://drupal.org/user/765720 [10] http://drupal.org/user/639856 [11] http://drupal.org/user/52142 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration _______________________________________________ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTrsv9O4yVqjM2NGpAQL49A/9HfOwCbQ2JsujmDhL1QpDf32ZctDlo6c0 ER7wUT7yP/c6+SB+frkr99GLPhPcbh0dyR2vmowvUV0PRQzWekVTxL9EAJ/QR9F2 tcGrvUkUZN18vVDTDgIRzNBouCYigy3ML5bxgxZWlLHKr3Tvj98Uy1Yfdu5RgACq Lkp1tVxvKUO0hpfexUSi8iJzUnqI7b9qgMn//IAl9mEh3zU3DxojJbp1AhLeU7e4 o3PwwLN7iwaEoldRhkzTbjeskxL+N4C36nC/dj9t3p4pVc/NqeI9Y2yvS6ufMMvC b9jCajyU8+WcIKE5AhZzvidBik+JPJWC/BdPjOSA62tlmhmaIO6nrgGYVyAvkSPs zo0lCJOa7Nlms23odyucxK/QdKw9/s0SXvK2tWsdcG/eKdRQGvQRA1vgdvtPyJ+u xmxsL2VrKiUhQikLUZJ9enHViwNPjvLBByaxmo4PLwRV1BZnss2ipRylVEalMLav WlQZWgkFOhiPuOSvyALRAxHbUmzIjBGnXICOSNeH8yfR/OzDRMTCeG30oQB19zQP sktSCL5nP5zaYUj/5abFdx0GBI3G7PmvOz4PZgZdbDiCIQEzDRRW8zHiu23GnRin c7mlr3N7lvmbASIW6+hFQZwvz2Z2BwBxOnkUsytcRglH9ueA9cpWU1NEbjiDztNZ yC9dqO4sS9I= =CLSV -----END PGP SIGNATURE-----