-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2012.0425.2
      A number of vulnerabilities have been identified in Drupal core
                              3 October 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Drupal
Publisher:         Drupal
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Denial of Service              -- Existing Account            
                   Provide Misleading Information -- Remote with User Interaction
                   Unauthorised Access            -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-2153 CVE-2012-1591 CVE-2012-1590
                   CVE-2012-1589 CVE-2012-1588 

Original Bulletin: 
   http://drupal.org/node/1557938

Revision History:  October 3 2012: Added CVE-2012-2153
                   May     3 2012: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

  * Advisory ID: DRUPAL-SA-CORE-2012-002
  * Project: Drupal core [1]
  * Version: 7.x
  * Date: 2012-May-2
  * Security risk: Critical [2]
  * Exploitable from: Remote
  * Vulnerability: Denial of Service, Access bypass

- -------- DESCRIPTION ---------------------------------------------------------

.... Denial of Service

CVE: CVE-2012-1588
Drupal core's text filtering system provides several features including
removing inappropriate HTML tags and automatically linking content that
appears to be a link. A pattern in Drupal's text matching was found to be
inefficient with certain specially crafted strings. This vulnerability is
mitigated by the fact that users must have the ability to post content sent
to the filter system such as a role with the "post comments" or "Forum topic:
Create new content" permission.

.... Unvalidated form redirect

CVE: CVE-2012-1589
Drupal core's Form API allows users to set a destination, but failed to
validate that the URL was internal to the site. This weakness could be abused
to redirect the login from to a remote site with a malicious script that
harvests the login credentials and redirects to the live site. This
vulnerability is mitigated only by the end user's ability to recognize a URL
with malicious query parameters to avoid the social engineering required to
exploit the problem.

.... Access bypass - forum listing

CVE: CVE-2012-1590
Drupal core's forum lists fail to check user access to nodes when displaying
them in the forum overview page. If an unpublished node was the most recently
updated in a forum then users who should not have access to unpublished forum
posts were still be able to see meta-data about the forum post such as the
post title.

.... Access bypass - private images

CVE: CVE-2012-1591
Drupal core provides the ability to have private files, including images, and
Image Styles which create derivative images from an original image that may
differ, for example, in size or saturation. Drupal core failed to properly
terminate the page request for cached image styles allowing users to access
image derivatives for images they should not be able to view. Furthermore,
Drupal didn't set the right headers to prevent image styles from being cached
in the browser.

.... Access bypass - content administration

CVE:   * Advisory ID: DRUPAL-SA-CORE-2012-002
  * Project: Drupal core [1]
  * Version: 7.x
  * Date: 2012-May-2
  * Security risk: Critical [2]
  * Exploitable from: Remote
  * Vulnerability: Denial of Service, Access bypass

- -------- DESCRIPTION ---------------------------------------------------------

.... Denial of Service

CVE: CVE-2012-1588
Drupal core's text filtering system provides several features including
removing inappropriate HTML tags and automatically linking content that
appears to be a link. A pattern in Drupal's text matching was found to be
inefficient with certain specially crafted strings. This vulnerability is
mitigated by the fact that users must have the ability to post content sent
to the filter system such as a role with the "post comments" or "Forum topic:
Create new content" permission.

.... Unvalidated form redirect

CVE: CVE-2012-1589
Drupal core's Form API allows users to set a destination, but failed to
validate that the URL was internal to the site. This weakness could be abused
to redirect the login from to a remote site with a malicious script that
harvests the login credentials and redirects to the live site. This
vulnerability is mitigated only by the end user's ability to recognize a URL
with malicious query parameters to avoid the social engineering required to
exploit the problem.

.... Access bypass - forum listing

CVE: CVE-2012-1590
Drupal core's forum lists fail to check user access to nodes when displaying
them in the forum overview page. If an unpublished node was the most recently
updated in a forum then users who should not have access to unpublished forum
posts were still be able to see meta-data about the forum post such as the
post title.

.... Access bypass - private images

CVE: CVE-2012-1591
Drupal core provides the ability to have private files, including images, and
Image Styles which create derivative images from an original image that may
differ, for example, in size or saturation. Drupal core failed to properly
terminate the page request for cached image styles allowing users to access
image derivatives for images they should not be able to view. Furthermore,
Drupal didn't set the right headers to prevent image styles from being cached
in the browser.

.... Access bypass - content administration

CVE: CVE-2012-2153
Drupal core provides the ability to list nodes on a site at admin/content.
Drupal core failed to confirm a user viewing that page had access to each
node in the list. This vulnerability only concerns sites running a
contributed node access module and is mitigated by the fact that users must
have a role with the "view content overview" permission. Unpublished nodes
were not displayed to users who only had the "view content overview"
permission.

- -------- VERSIONS AFFECTED ---------------------------------------------------

  * Drupal core 7.x versions prior to 7.13.

- -------- SOLUTION ------------------------------------------------------------

Install the latest version:

  * If you use Drupal 7.x, upgrade to Drupal core 7.13 [3]

Also see the Drupal core [4] project page.

- -------- REPORTED BY ---------------------------------------------------------

  * The Denial of Service vulnerability was reported by Jay Wineinger [5] and
    Lin Clark [6].
  * The unvalidated form redirect vulnerability was reported by Károly
    Négyesi [7] of the Drupal Security Team.
  * The access bypass in forum listing vulnerability was reported by Glen W
    [8].
  * The access bypass for private images vulnerability was reported by frega
    [9], Andreas Gonell [10], Jeremy Meier [11] and Xenza [12].
  * The access bypass for the content administration vulnerability was
    reported by Jennifer Hodgdon [13].

- -------- FIXED BY ------------------------------------------------------------

  * The Denial of Service was fixed by Károly Négyesi [14] of the Drupal
    Security Team.
  * The unvalidated form redirect was fixed by Wolfgang Ziegler [15] and
    Stéphane Corlosquet [16] of the Drupal Security Team.
  * The access bypass in forum listing was fixed by Michael Hess [17] of the
    Drupal Security Team, Ben Jeavons [18] of the Drupal Security Team and xjm
    [19].
  * The Access bypass for private images was fixed by Károly Négyesi [20] of
    the Drupal Security Team, Damien Tournoud [21] of the Drupal Security
    Team, Greg Knaddison [22] of the Drupal Security Team, Stéphane
    Corlosquet [23] of the Drupal Security Team, Xenza [24] and frega [25].
  * The Access bypass for content administration was fixed by Jennifer Hodgdon
    [26].

- -------- CONTACT AND MORE INFORMATION ----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [27].

Learn more about the Drupal Security team and their policies [28], writing
secure code for Drupal [29], and securing your site [30].

[1] http://drupal.org/project/drupal
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/node/1558412
[4] http://drupal.org/project/drupal
[5] http://drupal.org/user/923254
[6] http://drupal.org/user/396253
[7] http://drupal.org/user/9446
[8] http://drupal.org/user/170314
[9] http://drupal.org/user/243377
[10] http://drupal.org/user/414525
[11] http://drupal.org/user/1271628
[12] http://drupal.org/user/1792496
[13] http://drupal.org/user/155601
[14] http://drupal.org/user/9446
[15] http://drupal.org/user/16747
[16] http://drupal.org/user/52142
[17] http://drupal.org/user/102818
[18] http://drupal.org/user/91990
[19] http://drupal.org/user/65776
[20] http://drupal.org/user/9446
[21] http://drupal.org/user/22211
[22] http://drupal.org/user/36762
[23] http://drupal.org/user/52142
[24] http://drupal.org/user/1792496
[25] http://drupal.org/user/243377
[26] http://drupal.org/user/155601
[27] http://drupal.org/contact
[28] http://drupal.org/security-team
[29] http://drupal.org/writing-secure-code
[30] http://drupal.org/security/secure-configuration
Drupal core provides the ability to list nodes on a site at admin/content.
Drupal core failed to confirm a user viewing that page had access to each
node in the list. This vulnerability only concerns sites running a
contributed node access module and is mitigated by the fact that users must
have a role with the "view content overview" permission. Unpublished nodes
were not displayed to users who only had the "view content overview"
permission.

- -------- VERSIONS AFFECTED ---------------------------------------------------

  * Drupal core 7.x versions prior to 7.13.

- -------- SOLUTION ------------------------------------------------------------

Install the latest version:

  * If you use Drupal 7.x, upgrade to Drupal core 7.13 [3]

Also see the Drupal core [4] project page.

- -------- REPORTED BY ---------------------------------------------------------

  * The Denial of Service vulnerability was reported by Jay Wineinger [5] and
    Lin Clark [6].
  * The unvalidated form redirect vulnerability was reported by Károly
    Négyesi [7] of the Drupal Security Team.
  * The access bypass in forum listing vulnerability was reported by Glen W
    [8].
  * The access bypass for private images vulnerability was reported by frega
    [9], Andreas Gonell [10], Jeremy Meier [11] and Xenza [12].
  * The access bypass for the content administration vulnerability was
    reported by Jennifer Hodgdon [13].

- -------- FIXED BY ------------------------------------------------------------

  * The Denial of Service was fixed by Károly Négyesi [14] of the Drupal
    Security Team.
  * The unvalidated form redirect was fixed by Wolfgang Ziegler [15] and
    Stéphane Corlosquet [16] of the Drupal Security Team.
  * The access bypass in forum listing was fixed by Michael Hess [17] of the
    Drupal Security Team, Ben Jeavons [18] of the Drupal Security Team and xjm
    [19].
  * The Access bypass for private images was fixed by Károly Négyesi [20] of
    the Drupal Security Team, Damien Tournoud [21] of the Drupal Security
    Team, Greg Knaddison [22] of the Drupal Security Team, Stéphane
    Corlosquet [23] of the Drupal Security Team, Xenza [24] and frega [25].
  * The Access bypass for content administration was fixed by Jennifer Hodgdon
    [26].

- -------- CONTACT AND MORE INFORMATION ----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [27].

Learn more about the Drupal Security team and their policies [28], writing
secure code for Drupal [29], and securing your site [30].

[1] http://drupal.org/project/drupal
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/node/1558412
[4] http://drupal.org/project/drupal
[5] http://drupal.org/user/923254
[6] http://drupal.org/user/396253
[7] http://drupal.org/user/9446
[8] http://drupal.org/user/170314
[9] http://drupal.org/user/243377
[10] http://drupal.org/user/414525
[11] http://drupal.org/user/1271628
[12] http://drupal.org/user/1792496
[13] http://drupal.org/user/155601
[14] http://drupal.org/user/9446
[15] http://drupal.org/user/16747
[16] http://drupal.org/user/52142
[17] http://drupal.org/user/102818
[18] http://drupal.org/user/91990
[19] http://drupal.org/user/65776
[20] http://drupal.org/user/9446
[21] http://drupal.org/user/22211
[22] http://drupal.org/user/36762
[23] http://drupal.org/user/52142
[24] http://drupal.org/user/1792496
[25] http://drupal.org/user/243377
[26] http://drupal.org/user/155601
[27] http://drupal.org/contact
[28] http://drupal.org/security-team
[29] http://drupal.org/writing-secure-code
[30] http://drupal.org/security/secure-configuration

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUGuxMO4yVqjM2NGpAQLr/BAAhrPRjQlUXfI8pMQ7lI9G21u4R5uG8tt0
S+RQK7Vfu1dRrAwrHPTQNeweafyKG9gSBdwqaoHVBmJimBSeVJtkV0L3hP9ijxNe
Z/yGuZ7p98BgyL6HCPUjrQEoib/2b5xqxCik6uub6ll0w1OU1TVIwesBPrjdezzF
YBV6S+u+TvJ/iLk2nw+mS6wnLyKQRdi7sFq06Hx1u5JDmJPgXiGEAU61h8HlNHtk
PB9t6AKLhCWy4lmgShD8nslY9nzv0LVU/e3zPmhtKMFLQ+/ViEKh1i0aCcG28NSX
jxZhypfG13yzHKOPR5Zk+X+f42PoEJzZXlD7kLzDCyfrmw9wI3/CS7NL2mXEwUBo
GzwKhvfwL4DLUMHgvMwctddFQtjv7T2dACxVPmTi2mf6VzAs4ByJXqkMLqOQMxd9
BgcRBbMW3ysAlDJbknHJHHKSyTXFasXyHnIvp3q4VOSiK5hHjt23ux2xMz6JoRCP
Y3Uza2xLg5wjH2cr+r1Sq0sSGjKR1cqDCh5dAZq34ydHnFiSBCIr1bQfmCJVWAud
qdM4GQCHZfDwkvG6BgGzJUA93p7utoPWvkL+0MgWbzvg0Hr6K7/01m6Iph17I1ct
fISDGJhpxDQRw9yHDt4YTuvxxLWDzbAI60Lh0sLSx9EYNoOWby/nrRmrF2UaM2Hy
3zYRw4wqYWE=
=KRFb
-----END PGP SIGNATURE-----