=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN368
_____________________________________________________________________

DATE                      : 19/09/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Talk for DRUPAL.

======================================================================
http://drupal.org/node/309758
______________________________________________________________________


SA-2008-049 - Talk - Multiple vulnerabilities

Heine - September 17, 2008 - 16:11

     * Advisory ID: DRUPAL-SA-2008-049
     * Project: Talk (third-party module)
     * Version: 5.x, 6.x
     * Date: 2008-September-17
     * Security risk: Moderately critical
     * Exploitable from: Remote
     * Vulnerability: Cross site scripting, Node access bypass

Description

The Talk module for Drupal 5.x and 6.x creates a "Talk" tab for nodes in 
which the comments belonging to the node are displayed.

Two vulnerabilities and weaknesses were discovered in the contributed
Talk module.

Cross site scripting
The node title is treated as if it was safe text, and is not escaped
before being displayed. This allows users to insert arbitrary HTML and
script code into the Talk pages. Wikipedia has more information about
such cross site scripting (XSS) attacks.

Node access bypass
To view the comments of a normal node, you must view the node page
itself, and thus you must always have access to view a node before you
can view its comments. The Talk module bypassed this by displaying
comments on a separate page and not confirming that a user has access to
view the node before displaying the comments.


Versions affected

     * Talk for Drupal 5.x before version 5.x-1.3
     * Talk for Drupal 6.x before version 6.x-1.5

Drupal core is not affected. If you do not use the contributed Talk
module, there is nothing you need to do.


Solution

Install the latest version:

     * If you currently use Talk 5.x-1.x upgrade to Talk 5.x-1.3
     * If you currently use Talk 6.x-1.x upgrade to Talk 6.x-1.5

See also the Talk project page.


Reported by

     * christefano

Contact

The security contact for Drupal can be reached at security at drupal.org 
or via the form at http://drupal.org/contact.


======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================