=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2008/VULN550
_____________________________________________________________________

DATE                      : 27/11/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running COMMENT MAIL for DRUPAL,
                              USER KARMA for DRUPAL.

======================================================================
http://drupal.org/node/339495
http://drupal.org/node/339553
______________________________________________________________________

- ------------SA-2008-070 - COMMENT MAIL - CROSS SITE REQUEST FORGERY------------

  * Advisory ID: DRUPAL-SA-2008-070

  * Project: Comment Mail

  * Versions: 5.x

  * Date: 2008-November-26

  * Security risk: Moderately critical

  * Exploitable from: Remote

  * Vulnerability: Cross site request forgery

- ------------DESCRIPTION------------

The Comment Mail module allows an email to be sent to the site administrator(s)
when new comments are posted. Links in the email allow for quick approval,
editing, deletion of the comment and/or banning of the poster's IP address.

Unfortunately some links are vulnerable to cross site request forgeries [
http://en.wikipedia.org/wiki/Cross-site_request_forgery ] (CSRF), making it
possible for malicious users to force administrators (or any user with the
"administer comments" permission) to unknowingly ban IP addresses and approve or
delete any comment.

- ------------VERSIONS AFFECTED------------

  * Comment Mail for Drupal 5.x prior to 5.x-1.1

Drupal core is not affected. If you do not use the Comment Mail module, there
is nothing you need to do.

- ------------SOLUTION------------

Install the latest version.

  * If you use Comment Mail upgrade to Comment Mail 5.x-1.1 [
http://drupal.org/node/339506 ].

Also see the Comment Mail project page [ http://drupal.org/project/commentmail
].

- ------------REPORTED BY------------

The module maintainer Maarten van Grootel (maartenvg [
http://drupal.org/user/109716 ])

- ------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ] and by selecting the security issues
category.

______________________________________________________________________

- ------------SA-2008-071 - USER KARMA - MULTIPLE VULNERABILITIES------------

  * Advisory ID: DRUPAL-SA-2008-071

  * Project: User Karma

  * Versions: 5.x and 6.x

  * Date: 2008-November-26

  * Security risk: Moderately critical

  * Exploitable from: Remote

  * Vulnerability: SQL injection, Cross-site scripting (XSS)

- ------------DESCRIPTION------------

The User Karma module displays and manages karma points of users. How karma
points are calculated is defined by other modules which hook into the User Karma
module.

Unfortunately the User Karma module allows administrators to enter a list of
content types and voting API values which are then used directly in SQL queries
without being sanitized, enabling SQL injection attacks [
http://en.wikipedia.org/wiki/SQL_injection ] by malicious users. The module also
contains a cross site scripting attack [
http://en.wikipedia.org/wiki/Cross-site_scripting ] (XSS) vulnerability as some
messages are displayed without being sanitized.

- ------------VERSIONS AFFECTED------------

  * Versions of User Karma for Drupal 5.x prior to 5.x-1.13

  * Versions of User Karma for Drupal 6.x prior to 6.x-1.0-beta1

Drupal core is not affected. If you do not use the User Karma module, there is
nothing you need to do.

- ------------SOLUTION------------

Install the latest version.

  * If you use User Karma for Drupal 5.x upgrade to 5.x-1.13 [
http://drupal.org/node/339580 ]

  * If you use User Karma for Drupal 6.x upgrade to 6.x-1.0-beta1 [
http://drupal.org/node/339582 ]

Also see the User Karma project page [ http://drupal.org/project/user_karma ].

- ------------REPORTED BY------------

Stéphane Corlosquet (scor [ http://drupal.org/user/52142 ]) of the Drupal
security team.

- ------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ] and by selecting the security issues
category.

_________________________________________________________________________________

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================