Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.1135
A number of vulnerabilities have been identified in Drupal
third-party modules
10 November 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Quiz (Drupal third-party module)
CKEditor (Drupal third-party module)
Webform CiviCRM Integration (Drupal third-party module)
Publisher: Drupal
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
Comment: This bulletin contains three (3) security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
* Advisory ID: DRUPAL-SA-CONTRIB-2011-053
* Project: Quiz [1] (third-party module)
* Version: 6.x
* Date: 2011-November-09
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
- -------- DESCRIPTION ---------------------------------------------------------
Quiz module allows the creation and taking of tests that are scored either
automatically or manually by a teacher.
The module contains several cross site scripting (XSS) vulnerabilities that
can be exploited when quizzes are being created.
These vulnerabilities are mitigated by the fact that an attacker must have
the permission to create or edit quizzes.
- -------- VERSIONS AFFECTED ---------------------------------------------------
* Quiz 6.x-4.x versions prior to 6.x-4.3.
Drupal core is not affected. If you do not use the contributed Quiz [3]
module, there is nothing you need to do.
- -------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use the Quiz module for Drupal 6.x, upgrade to quiz 6.x-4.3 [4]
See also the Quiz [5] project page.
- -------- REPORTED BY ---------------------------------------------------------
* phdruplover [6]
- -------- FIXED BY ------------------------------------------------------------
* sivaji [7] the module maintainer
* falcon [8] the module maintainer
- -------- COORDINATED BY ------------------------------------------------------
* Matt Kleve [9] of the Drupal Security Team
- -------- CONTACT AND MORE INFORMATION ----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
[1] http://drupal.org/project/quiz
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/quiz
[4] http://drupal.org/node/1336756
[5] http://drupal.org/project/quiz
[6] http://drupal.org/user/1505850
[7] http://drupal.org/user/328724
[8] http://drupal.org/user/530912
[9] http://drupal.org/user/150473
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration
_______________________________________________
* Advisory ID: DRUPAL-SA-CONTRIB-2011-054
* Project: CKEditor - WYSIWYG HTML editor [1] (third-party module)
* Version: 7.x
* Date: 2011-November-09
* Security risk: Critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
- -------- DESCRIPTION ---------------------------------------------------------
The CKEditor module allows Drupal to replace textarea fields with the
CKEditor - a visual HTML editor, sometimes called WYSIWYG editor. The module
doesn't protect private files appropriately. Private files can downloaded by
anyone able to guess their URL.
- -------- VERSIONS AFFECTED ---------------------------------------------------
* CKEditor 7.x-1.4 version only
Drupal core is not affected. If you do not use the contributed CKEditor -
WYSIWYG HTML editor [3] module, there is nothing you need to do.
- -------- SOLUTION ------------------------------------------------------------
Install the latest version:
* Upgrade to CKEditor 7.x-1.5 [4]
See also the CKEditor - WYSIWYG HTML editor [5] project page.
- -------- REPORTED BY ---------------------------------------------------------
* Joel Walters [6]
- -------- FIXED BY ------------------------------------------------------------
* Michal [7] the module maintainer
- -------- COORDINATED BY ------------------------------------------------------
* Stéphane Corlosquet [8] of the Drupal Security Team
- -------- CONTACT AND MORE INFORMATION ----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [9].
Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].
[1] http://drupal.org/project/ckeditor
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/ckeditor
[4] http://drupal.org/node/1336272
[5] http://drupal.org/project/ckeditor
[6] http://drupal.org/user/1052318
[7] http://drupal.org/user/922884
[8] http://drupal.org/user/52142
[9] http://drupal.org/contact
[10] http://drupal.org/security-team
[11] http://drupal.org/writing-secure-code
[12] http://drupal.org/security/secure-configuration
_______________________________________________
* Advisory ID: DRUPAL-SA-CONTRIB-2011-055
* Project: Webform CiviCRM Integration [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2011-November-09
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass, SQL Injection
- -------- DESCRIPTION ---------------------------------------------------------
The Webform CiviCRM Integration module extends the functionality of the
Webform Module [3] to link form submissions with a CiviCRM [4] database.
Version 2.0 of the module added form validation based on CiviCRM data type. A
flaw in the implementation of this feature caused other validation handlers
to fail, so the Webform would be able to be submitted even if required fields
were left blank, etc. Version 2.1 fixed this issue, but implemented
validation in such a way as to leave a possible opening for SQL injection.
Both issues are now fixed in version 2.2.
- -------- VERSIONS AFFECTED ---------------------------------------------------
* Webform CiviCRM Integration prior to 6.x-2.2
* Webform CiviCRM Integration prior to 7.x-2.2
Drupal core is not affected. If you do not use the contributed Webform
CiviCRM Integration [5] module, there is nothing you need to do.
- -------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use the module for Drupal 6.x, upgrade to Webform CiviCRM
Integration 6.x-2.2 [6]
* If you use the module for Drupal 7.x, upgrade to Webform CiviCRM
Integration 7.x-2.2 [7]
See also the Webform CiviCRM Integration [8] project page.
- -------- REPORTED BY ---------------------------------------------------------
* MichaÃ…\x{130} Mach [9]
- -------- FIXED BY ------------------------------------------------------------
* Coleman Watts [10] the module maintainer
- -------- COORDINATED BY ------------------------------------------------------
* Stéphane Corlosquet [11] of the Drupal Security Team
- -------- CONTACT AND MORE INFORMATION ----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
[1] http://drupal.org/project/webform_civicrm
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/webform
[4] http://civicrm.org
[5] http://drupal.org/project/webform_civicrm
[6] http://drupal.org/node/1336044
[7] http://drupal.org/node/1336046
[8] http://drupal.org/project/webform_civicrm
[9] http://drupal.org/user/765720
[10] http://drupal.org/user/639856
[11] http://drupal.org/user/52142
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration
_______________________________________________
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTrsv9O4yVqjM2NGpAQL49A/9HfOwCbQ2JsujmDhL1QpDf32ZctDlo6c0
ER7wUT7yP/c6+SB+frkr99GLPhPcbh0dyR2vmowvUV0PRQzWekVTxL9EAJ/QR9F2
tcGrvUkUZN18vVDTDgIRzNBouCYigy3ML5bxgxZWlLHKr3Tvj98Uy1Yfdu5RgACq
Lkp1tVxvKUO0hpfexUSi8iJzUnqI7b9qgMn//IAl9mEh3zU3DxojJbp1AhLeU7e4
o3PwwLN7iwaEoldRhkzTbjeskxL+N4C36nC/dj9t3p4pVc/NqeI9Y2yvS6ufMMvC
b9jCajyU8+WcIKE5AhZzvidBik+JPJWC/BdPjOSA62tlmhmaIO6nrgGYVyAvkSPs
zo0lCJOa7Nlms23odyucxK/QdKw9/s0SXvK2tWsdcG/eKdRQGvQRA1vgdvtPyJ+u
xmxsL2VrKiUhQikLUZJ9enHViwNPjvLBByaxmo4PLwRV1BZnss2ipRylVEalMLav
WlQZWgkFOhiPuOSvyALRAxHbUmzIjBGnXICOSNeH8yfR/OzDRMTCeG30oQB19zQP
sktSCL5nP5zaYUj/5abFdx0GBI3G7PmvOz4PZgZdbDiCIQEzDRRW8zHiu23GnRin
c7mlr3N7lvmbASIW6+hFQZwvz2Z2BwBxOnkUsytcRglH9ueA9cpWU1NEbjiDztNZ
yC9dqO4sS9I=
=CLSV
-----END PGP SIGNATURE-----