=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2008/VULN439
_____________________________________________________________________

DATE                      : 16/10/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Node Vote module for DRUPAL,
                               Node Clone module for DRUPAL,
                               Shindig-Integrator module for DRUPAL.

======================================================================
http://drupal.org/node/321685
http://drupal.org/node/321737
http://drupal.org/node/321758
______________________________________________________________________

SA-2008-064 - Node Vote - SQL injection vulnerability

     * Advisory ID: DRUPAL-SA-2008-064
     * Project: Node Vote (third-party module)
     * Versions: 5.x and 6.x
     * Date: 2008-October-15
     * Security risk: Critical
     * Exploitable from: Remote
     * Vulnerability: SQL injection

Description

   The Node Vote module allows authorized users to vote on certain
   types of nodes.

   If the administrator has enabled the "Allow user to vote again"
   setting for the Node Vote module, malicious user can inject SQL when
   changing a previously cast vote. This is because Node Vote does not
   properly use the Drupal database API and inserts values from URLs
   directly into queries under these conditions. This can be exploited to
   perform SQL Injection attacks. These attacks may lead to a
   malicious user gaining administrator access.

Versions Affected

     * Versions of Node Vote for Drupal 5.x prior to 5.x-1.1
     * Versions of Node Vote for Drupal 6.x prior to 6.x-1.0

   Drupal core is not affected. If you do not use the Node Vote module,
   there is nothing you need to do.

Solution

   Install the latest version.
     * If you use Node Vote for Drupal 5.x upgrade to 5.x-1.1
     * If you use Node Vote for Drupal 6.x upgrade to 6.x-1.0

   Also see the Node Vote project page.

Reported by

   Stéphane Corlosquet (scor) of the Drupal security team.

Contact

   The security contact for Drupal can be reached at security at
   drupal.org or via the form at http://drupal.org/contact and by
   selecting the security issues category.

________________________________________________________________________

SA-2008-065 - Node Clone - Access bypass

     * Advisory ID: DRUPAL-SA-2008-065
     * Project: Node Clone (third-party module)
     * Version: 6.x, and 5.x.
     * Date: 2008-October-15
     * Security risk: Less critical
     * Exploitable from: Remote
     * Vulnerability: Access bypass

Description

   The third-party Node Clone module enables users to make a copy of an
   existing item of content (a node), and then edit that copy.

   The module contains a flaw that allows a user with the 'clone node'
   permission to potentially bypass normal viewing access restrictions,
   for example allowing the user to see unpublished nodes even if they do
   not have permission to view unpublished nodes.

Versions affected

     * All versions of Node Clone prior to October 15, 2008

   Drupal core is not affected. If you do not use the contributed Node
   Clone module, there is nothing you need to do.

Solution

   Install the latest version:
     * If you use 6.x-1.0-beta2 upgrade to Node clone 6.x-1.0.
     * If you use 5.x-2.5 upgrade to Node clone 5.x-2.6.
     * If you use 5.x-1.5 upgrade to Node clone 5.x-1.6.

   See also the Node Clone project page.

Reported by

   Peter Wolanin of the Drupal security team.

Contact

   The security contact for Drupal can be reached at security at
   drupal.org or via the form at http://drupal.org/contact.

_____________________________________________________________________

SA-2008-066 - Shindig-Integrator - Multiple vulnerabilities

     * Advisory ID: DRUPAL-SA-2008-066
     * Project: Shindig-Integrator (third-party module)
     * Versions: 5.x
     * Date: 2008-October-15
     * Security risk: Less critical
     * Exploitable from: Remote
     * Vulnerability: Multiple vulnerabilities

Description

   Shindig-Integrator integrates the open social Shindig container with
   Drupal.

   The module contains numerous flaws. Among them are the following
   issues.
     * Malicious users are able to insert arbitrary HTML and script code
       into certain module generated pages. Such a Cross site
       scripting vulnerability can be used to gain administrator access.
     * The module fails to restrict access to module generated pages.

Versions Affected

     * All versions of Shindig-Integrator

   Drupal core is not affected. If you do not use the Shindig-Integrator
   module, there is nothing you need to do.

Solution

   There is no solution available. Please disable the module and remove
   it from your site.

Reported by

     * The vulnerability was reported by Tony Mobily (mercmobily)

Contact

   The security contact for Drupal can be reached at security at
   drupal.org or via the form at http://drupal.org/contact and by
   selecting the security issues category.


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================