=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2008/VULN415
_____________________________________________________________________

DATE                      : 09/10/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running SIOC for DRUPAL, EVERYBLOG
                               for DRUPAL.

======================================================================
http://drupal.org/node/318739
http://drupal.org/node/318749
http://drupal.org/node/318746
______________________________________________________________________

SA-2008-063 - multiple third party modules - Access bypass due to
incorrect Drupal 6 updates

AjK - October 8, 2008 - 21:28

    * Advisory ID: DRUPAL-SA-2008-063
    * Project: Several Third-Party Modules incorrectly updated for the
Drupal 6 menu system
    * Version: 6.x
    * Date: 2008-October-8
    * Security risk: Moderately critical
    * Exploitable from: Remote
    * Vulnerability: Access bypass

Description

Several contributed modules were incorrectly updated for the Drupal 6
menu system in such a way that the intended access control are likely to
be by-passed by unprivileged users. In some cases, this includes access
to some of the administrative functions of these modules, or access to
content the user would otherwise be prohibited from seeing.

Drupal core is not affected. Disabling the affected modules provides an
immediate workaround.


Versions affected

    * Live module 6.x before version 6.x-1.0
    * AJAX Picture Preview module 6.x before version 6.x-1.2
    * Admin:hover module 6.x-1.x-dev before 2008-Oct-08
    * Banner Rotor Module before version 6.x-1.3
    * Creative Commons Lite module 6.x before version 6.x-1.1
    * Keyboard shortcut utiilty module 6.x before version 6.x-1.1
    * LiveJournal CrossPoster module 6.x before version 6.x-1.4
    * Taxonomy import/export via XML module 6.x before version 6.x-1.2
    * User Referral module 6.x-1.x-dev before 2008-Oct-08

Drupal core is not affected. If you do not use a contributed module from
the list above on a Drupal 6 site, there is nothing you need to do.


Solution

If you are running any of the modules from the list above, upgrade to
the version specified in the list.


Important note

If you are the author of a contributed module being updated for Drupal
6, please read carefully the documentation on the Drupal 6 menu system
to insure that you do not make the same mistake:
http://drupal.org/node/109157
Reported by

John Morahan and Peter Wolanin of the Drupal security team.


Contact

The security contact for Drupal can be reached at security at drupal.org
or via the form at http://drupal.org/contact.

__________________________________________________________________________

- ------------SA-2008-062 - SIOC - ACCESS BYPASS------------

  * Advisory ID: DRUPAL-SA-2008-062

  * Project: SIOC (third-party module)

  * Versions: 5.x and 6.x

  * Security risk: Moderately critical

  * Exploitable from: Remote

  * Vulnerability: Access bypass

- ------------DESCRIPTION------------

The SIOC (Semantically-Interconnected Online Communities) project is an
open specification for describing communities using online discussion
forums or blogs, the module allows Drupal sites to attach metadata to
users, posts, comments etc. in line with this specification.

The module doesn't implement Drupal's menu and database APIs correctly,
allowing unprivileged users to view comments, hashed emails, usernames
and roles which they might otherwise not have access to.

- ------------VERSIONS AFFECTED------------

  * Versions of SIOC for Drupal 5.x prior to 5.x-1.2

  * Versions of SIOC for Drupal 6.x prior to 6.x-1.1

Drupal core is not affected. If you do not use the SIOC module, there is
nothing you need to do.

- ------------SOLUTION------------

Install the latest version.

  * If you use SIOC for Drupal 5.x upgrade to SIOC 5.x-1.2 [
http://drupal.org/node/318762 ]

  * If you use SIOC for Drupal 6.x upgrade to SIOC 6.x-1.1 [
http://drupal.org/node/318744 ]

Also see the SIOC project page [ http://drupal.org/project/sioc ].

- ------------REPORTED BY------------

  * Stéphane Corlosquet [ http://drupal.org/user/52142 ] and Peter Wolanin
[http://drupal.org/user/49851 ] of the Drupal security team

- ------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org
or via the form at [ http://drupal.org/contact ] and by selecting the
security issues category.

___________________________________________________________________________

- ------------SA-2008-061 - EVERYBLOG - MULTIPLE VULNERABILITIES------------

  * Advisory ID: DRUPAL-SA-2008-061

  * Project: EveryBlog (third-party module)

  * Versions: 5.x and 6.x

  * Date: 2008-October-08

  * Security risk: Highly critical

  * Exploitable from: Remote

  * Vulnerability:SQL injection, Cross-site scripting (XSS), Privilege
    escalation, access bypass

- ------------DESCRIPTION------------

The module does not follow Drupal best practices for database queries
and handling of user submitted data, leading to a number of
vulnerabilities. Of special concern is that an unprivileged user may
become logged in to the account of an existing user, including an
administrator.

- ------------VERSIONS AFFECTED------------

  * All versions of EveryBlog

Drupal core is not affected. If you do not use the EveryBlog module,
there is nothing you need to do.

- ------------SOLUTION------------

Please disable the module and remove it from your site.

All affected releases of this module have been removed from Drupal.org.

- ------------REPORTED BY------------

  * The privilege escalation was reported by Dan Hassel

  * The SQL injection, XSS and access bypass were reported by members of
the Drupal security team

- ------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org
or via the form at [ http://drupal.org/contact ] and by selecting the
security issues category.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================