=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN287
_____________________________________________________________________

DATE                      : 10/07/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running OpenID module for Drupal
                                    versions 5.x.

======================================================================
http://drupal.org/node/280592
______________________________________________________________________

SA-2008-045 - OpenID - Multiple vulnerabilities
Security announcements
Heine - July 9, 2008 - 22:08

     * Advisory ID: DRUPAL-SA-2008-045
     * Project: OpenID (third-party module)
     * Version: 5.x
     * Date: 2008-July-9
     * Security risk: Less critical
     * Exploitable from: Remote
     * Vulnerability: Cross site scripting, Cross site request forgeries

Description

The OpenID module for Drupal 5.x allows uses to create an account or log 
into a Drupal site using one or more OpenID identities. Find out more 
about OpenID at http://openid.net.

Two vulnerabilities and weaknesses were discovered in the contributed
OpenID module.

Cross site scripting
Some information sent from the OpenID provider is not escaped before it
is displayed.
Wikipedia has more information about cross site scripting (XSS).

Cross site request forgeries
The Drupal Forms API protects against Cross Site Request Forgeries
(CSRF), where a malicious site can cause a user to unintentionally take
actions on another site where they are authenticated. The OpenID module
allowed OpenID identities to be deleted simply by clicking a link. Thus,
a user could have all of their identities removed and no longer be able
to log in with OpenID .


Versions affected

     * OpenID for Drupal 5.x before version 5x.-1.2

Drupal 5.x core is not affected. If you do not use the contributed
OpenID module for Drupal 5.x, there is nothing you need to do.


Solution

Install the latest version:

     * If you currently use OpenID 5.x-1.0 or 5.x-1.1 upgrade to OpenID 
5.x-1.2

See also the OpenID project page.


Reported by

     * Neil Drumm (drumm) of the Drupal Security Team
     * Peter Wolanin (pwolanin) of the Drupal Security Team

Contact

The security contact for Drupal can be reached at security at drupal.org 
or via the form at http://drupal.org/contact.


======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================