Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0087 Multiple vulnerabilities have been fixed in Drupal core 17 January 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Drupal Publisher: Drupal Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Cross-site Scripting -- Remote with User Interaction Access Privileged Data -- Remote with User Interaction Resolution: Patch/Upgrade Original Bulletin: http://drupal.org/SA-CORE-2013-001 - --------------------------BEGIN INCLUDED TEXT-------------------- * Advisory ID: DRUPAL-SA-CORE-2013-001 * Project: Drupal core [1] * Version: 6.x, 7.x * Date: 2013-January-16 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Access bypass - -------- DESCRIPTION --------------------------------------------------------- Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. .... Cross-site scripting (Various core and contributed modules - Drupal 6 and 7) A reflected cross-site scripting vulnerability (XSS) was identified in certain Drupal JavaScript functions that pass unexpected user input into jQuery causing it to insert HTML into the page when the intended behavior is to select DOM elements. Multiple core and contributed modules are affected by this issue. jQuery versions 1.6.3 and higher provide protection against common forms of this problem; thus, the vulnerability is mitigated if your site has upgraded to a recent version of jQuery. However, the versions of jQuery that are shipped with Drupal 6 and Drupal 7 core do not contain this protection. Although the fix added to Drupal as part of this security release prevents the most common forms of this issue in the same way as newer versions of jQuery do, developers should be aware that passing untrusted user input directly to jQuery functions such as jQuery() and $() is unsafe and should be avoided. CVE: Requested. .... Access bypass (Book module printer friendly version - Drupal 6 and 7) A vulnerability was identified that exposes the title or, in some cases, the content of nodes that the user should not have access to. This vulnerability is mitigated by the fact that the bypass is only accessible to users who already have the 'access printer-friendly version' permission (which is not granted to Anonymous or Authenticated users by default) and it only affects nodes that are part of a book outline. CVE: Requested. .... Access bypass (Image module - Drupal 7) Drupal core provides the ability to have private files, including images. A vulnerability was identified in which derivative images (which Drupal automatically creates from these images based on "image styles" and which may differ, for example, in size or saturation) did not always receive the same protection. Under some circumstances, this would allow users to access image derivatives for images they should not be able to view. This vulnerability is mitigated by the fact that it only affects sites which use the Image module and which store images in a private file system. CVE: Requested. - -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ - -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal core 6.x versions prior to 6.28. * Drupal core 7.x versions prior to 7.19. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Drupal 6.x, upgrade to Drupal core 6.28 [4]. * If you use Drupal 7.x, upgrade to Drupal core 7.19 [5]. Also see the Drupal core [6] project page. - -------- REPORTED BY --------------------------------------------------------- * The cross-site scripting issue in various Drupal core and contributed modules was reported by t.ashula, and by David Rothstein [7] of the Drupal Security Team. * The access bypass issue in the Book module was reported by Mark Lindsey [8]. * The access bypass issue in the Drupal 7 Image module was reported by Kressin Roger [9], Christian Johansson [10], Anders Olsson [11] and saschadrupal [12]. - -------- FIXED BY ------------------------------------------------------------ * The cross-site scripting issue in various Drupal core and contributed modules was fixed by t.ashula, Théodore Biadala [13], Katherine Bailey [14], Steve De Jonghe [15] and J. Renée Beach [16], and by Dylan Tack [17], Greg Knaddison [18], David Rothstein [19] and Damien Tournoud [20] of the Drupal Security Team. * The access bypass issue in the Book module was fixed by Mark Lindsey [21], and by Fox [22], David Rothstein [23] and Peter Wolanin [24] of the Drupal Security Team. * The access bypass issue in the Drupal 7 Image module was fixed by Heine Deelstra [25] of the Drupal Security Team, and by Anders Olsson [26]. - -------- COORDINATED BY ------------------------------------------------------ * David Rothstein [27], Gábor Hojtsy [28], Stéphane Corlosquet [29], Greg Knaddison [30], Heine Deelstra [31] and Peter Wolanin [32] of the Drupal Security Team * Jeremy Thorson [33] of the QA/Testing Infrastructure Team - -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [34]. Learn more about the Drupal Security team and their policies [35], writing secure code for Drupal [36], and securing your site [37]. [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/drupal-6.28-release-notes [5] http://drupal.org/drupal-7.19-release-notes [6] http://drupal.org/project/drupal [7] http://drupal.org/user/124982 [8] http://drupal.org/user/1924632 [9] http://drupal.org/user/1605796 [10] http://drupal.org/user/204187 [11] http://drupal.org/user/855656 [12] http://drupal.org/user/245825 [13] http://drupal.org/user/598310 [14] http://drupal.org/user/172987 [15] http://drupal.org/user/264148 [16] http://drupal.org/user/748566 [17] http://drupal.org/user/96647 [18] http://drupal.org/user/36762 [19] http://drupal.org/user/124982 [20] http://drupal.org/user/22211 [21] http://drupal.org/user/1924632 [22] http://drupal.org/user/426416 [23] http://drupal.org/user/124982 [24] http://drupal.org/user/49851 [25] http://drupal.org/user/17943 [26] http://drupal.org/user/855656 [27] http://drupal.org/user/124982 [28] http://drupal.org/user/4166 [29] http://drupal.org/user/52142 [30] http://drupal.org/user/36762 [31] http://drupal.org/user/17943 [32] http://drupal.org/user/49851 [33] http://drupal.org/user/148199 [34] http://drupal.org/contact [35] http://drupal.org/security-team [36] http://drupal.org/writing-secure-code [37] http://drupal.org/security/secure-configuration - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUPdX5O4yVqjM2NGpAQKu7BAAlViswiNIN9RBKS6URyPqSOx51dhZPD+a 1Zwm31XpTBiS03AIBcpIroaeWLElZ+a2SUzJDOurwQuDYsN3tvrVx1LTWPf4s+lt Rr79RYz1xkiEajT4ycmWoWe+ExiTPjVzWrCCalT9VTDKFixlyHvu2YlUxvKW3RLD yZsbFhiP57I4u0Xa1gs6y7lQycrD9iL2hKnevJSz0osJoWPRlhm+Y4mVUn+l3rmU HvOKGN4Y7+QIP1QNGkpyj0pESMmMKdo/zyyn+QT2rrsCXtG6UO59oqUiGwRM1zZ4 /lu24OUpA8EKKqS3ffIPa9SI6Q43pAQKw8D2CeihK4ZKiSwFpkb1BWtcI6cJfL9G NhiuyjApXZtvGO5KbVQuLk6pYfe4JOS9z7x1KHn1KXxFHPVlTonLolfVUHCd+Roj qhM93qxllaAEGQUheWujmYut0AhruZGZVlGr1iZGz62rjMgORK8gqJ+hJsm/Hl/Z epBpnQrEsXd8mU2YCFyfXCZVp+VklBrIBnfnn8PCujFjNVM5wP8LwDcYu0Z6vQ7x gvt22ULE/Kflu9WsfhL6hevkWcNAcgHtVu4uJ85uKHe5U3UiKkJ9kEN0q6y5iOcq SPwFsdCLRfmBb2s1AZNhZrcXD+asVhWI9ZuJ81TnBw+8cB3pHLKZZHEmr+M6f2ji Bduh+sgbDpg= =hrvs -----END PGP SIGNATURE-----