===================================================================== CERT-Renater Note d'Information No. 2008/VULN602 _____________________________________________________________________ DATE : 18/12/2008 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running VIEWS module for DRUPAL, SERVICES module for DRUPAL. ====================================================================== http://drupal.org/node/348321 http://drupal.org/node/348295 ______________________________________________________________________ - ------------SA-2008-075 - VIEWS - SQL INJECTION------------ * Advisory ID: DRUPAL-SA-2008-075 * Project: Views * Versions: 6.x * Date: 2008-December-16 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: SQL injection - ------------DESCRIPTION------------ The Views module provides a flexible method for Drupal site designers to control how lists of content are presented. When using an exposed filter on CCK [ http://drupal.org/project/cck ] text fields with allowed values, Views does not filter the data correctly. This may allow malicious users to conduct SQL injection [ http://en.wikipedia.org/wiki/SQL_injection ] attacks against the site. - ------------VERSIONS AFFECTED------------ * Versions of Views for Drupal 6.x prior to 6.x-2.2 Drupal core is not affected. If you do not use the Views module, there is nothing you need to do. - ------------SOLUTION------------ Install the latest version. * If you use Views for Drupal 6.x upgrade to 6.x-2.2 [ http://drupal.org/node/347831 ] Also see the Views project page [ http://drupal.org/project/views ]. - ------------REPORTED BY------------ * Peter Fisera (goatvirus [ http://drupal.org/user/360900 ]) * Mariano D'Agostino (dagmar [ http://drupal.org/user/154086 ]) - ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ] and by selecting the security issues category. ______________________________________________________________________ - ------------SA-2008-074 - SERVICES - INSECURE SIGNING------------ * Advisory ID: DRUPAL-SA-2008-074 * Project: Services (third-party module) * Versions: 5.x and 6.x * Security risk: Critical * Exploitable from: Remote * Vulnerability: Repeat attacks and impersonation - ------------DESCRIPTION------------ Services is a module which provides an API for exposing Drupal functions. It allows clients to remotely call methods on the server and return the requested data for local processing. The module doesn't sign enough of the information that passes through it and uses an insecure hash for signing a part of the request, allowing for impersonation attacks. In addition the validity of the request does not time out and can therefore be used multiple times, allowing for repeat attacks. - ------------VERSIONS AFFECTED------------ * Versions of Services for Drupal 5.x prior to 5.x-0.92 * Versions of Services for Drupal 6.x prior to 6.x-0.13 Drupal core is not affected. If you do not use the Services module, there is nothing you need to do. - ------------SOLUTION------------ Install the latest version. * If you use Services for Drupal 5.x upgrade to Services 5.x-0.92 [ http://drupal.org/node/303265 ] * If you use Services for Drupal 6.x upgrade to Services 6.x-0.13 [ http://drupal.org/node/304938 ] Also see the Services project page [ http://drupal.org/project/services ]. - ------------REPORTED BY------------ * Steven Wittens (Steven [ http://drupal.org/user/10] ]) - ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ] and by selecting the security issues category. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================