=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN303
_____________________________________________________________________

DATE                      : 31/07/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running  Live for Drupal,
                             Bibliography Module for Drupal,
                             Calendar for Drupal, Date for Drupal.

======================================================================
http://drupal.org/node/534914
http://drupal.org/node/534842
http://drupal.org/node/534652
http://drupal.org/node/534636
______________________________________________________________________

SA-CONTRIB-2009-049 - Live - Privilege escalation, Impersonation
Drupal Security Team - July 29, 2009 - 20:37

    * Advisory ID: DRUPAL-SA-CONTRIB-2009-049
    * Project: Live (third-party module)
    * Version: 6.x
    * Date: 2009-July-29
    * Security risk: Highly critical
    * Exploitable from: Remote
    * Vulnerability: Impersonation, privilege escalation

Description

The Live module provides dynamic previews of content. When editing
certain content (nodes), the current user becomes logged in as the
content's original author.


Versions affected

    * Live for Drupal 6.x prior to 6.x-1.2

Drupal core is not affected. If you do not use the contributed Live
module, there is nothing you need to do.


Solution

Upgrade to the latest version:

    * If you use Live for Drupal 6.x upgrade to Live 6.x-1.2

See also the Live project page.


Reported by

Roderik Muit
Fixed by

frjo
Contact

The security contact for Drupal can be reached at security at
drupal.org or via the form at http://drupal.org/contact

_______________________________________________________________________


SA-CONTRIB-2009-048 - Bibliography Module - Cross Site Scripting
Drupal Security Team - July 29, 2009 - 19:32

    * Advisory ID: DRUPAL-SA-CONTRIB-2009-048
    * Project: Bibliography Module (third-party module)
    * Version: 5.x, 6.x
    * Date: 2009-July-29
    * Security risk: Moderately critical
    * Exploitable from: Remote
    * Vulnerability: Cross Site Scripting

Description

The Bibliography module (Biblio) allows users to manage and display
lists of scholarly publications. The module contains a cross site scripting
vulnerability because it does not properly sanitize output of titles
before display. A user who has the permission to create content displayed
by the Bibliography module could attempt a cross site scripting (XSS)
attack which may lead to the user gaining full administrative access.


Versions affected

    * Bibliography Module versions 6.x prior to 6.x-1.6
    * Bibliography Module versions 5.x prior to 5.x-1.17

Drupal core is not affected. If you do not use the contributed
Bibliography module, there is nothing you need to do.


Solution

Install the latest version:

    * If you use the Bibliography Module for Drupal 6.x upgrade to Bibliography Module 6.x-1.6
    * If you use the Bibliography Module for Drupal 5.x upgrade to Bibliography Module 5.x-1.17

See also the Bibliography Module project page.


Reported by

Justin Klein Keane.


Fixed by

Justin Klein Keane and Ron Jerome (the Bibliography module maintainer).


Contact

The security team for Drupal can be reached at security at drupal.org
or via the form at http://drupal.org/contact.

______________________________________________________________________


SA-CONTRIB-2009-047 - Calendar - Cross Site Scripting
Drupal Security Team - July 29, 2009 - 16:47

    * Advisory ID: DRUPAL-SA-CONTRIB-2009-047
    * Project: Calendar (third-party module)
    * Version: 6.x
    * Date: 2009-July-29
    * Security risk: Moderately critical
    * Exploitable from: Remote
    * Vulnerability: Cross Site Scripting

Description

The Calendar module enables Views module to display any Date module
date field as a calendar. The module does not properly escape user input
when displaying titles of content types that have Date fields. A user
with permission to create new content types (including via the Date
module's Date Tools sub-module) could attempt a cross site scripting (XSS)
attack, leading to the user gaining full administrative access.


Versions affected

    * Calendar for Drupal 6.x prior to 6.x-2.2

Drupal core is not affected. If you do not use the contributed
Calendar module, there is nothing you need to do.


Solution

Upgrade to the latest version:

    * If you use Calendar for Drupal 6.x upgrade to Calendar 6.x-2.2

See also the Calendar project page.


Reported by

Justin C. Klein Keane


Fixed by

Justin C. Klein Keane


Contact

The security contact for Drupal can be reached at security at
drupal.org or via the form at http://drupal.org/contact.

____________________________________________________________________


SA-CONTRIB-2009-046 - Date - Cross Site Scripting
Drupal Security Team - July 29, 2009 - 16:34

    * Advisory ID: DRUPAL-SA-CONTRIB-2009-046
    * Project: Date (third-party module)
    * Version: 6.x
    * Date: 2009-July-29
    * Security risk: Moderately critical
    * Exploitable from: Remote
    * Vulnerability: Cross Site Scripting

Description

The Date module provides a date CCK field that can be added to any
content type. The Date Tools module that is bundled with Date module
does not properly escape user input when displaying labels for fields
on a content type. A malicious user with the 'use date tools' permission
of the Date Tools sub-module, or the 'administer content types'
permission could attempt a cross site scripting (XSS) attack when creating
a new content type, leading to the user gaining full administrative access.


Versions affected

    * Date for Drupal 6.x prior to 6.x-2.3

Drupal core is not affected. If you do not use the contributed Date module,
there is nothing you need to do.


Solution

Upgrade to the latest version:

    * If you use Date for Drupal 6.x upgrade to Date 6.x-2.3

Note that the 'use date tools' permission has been renamed as 'administer
date tools' to clarify that this is an administrative permission (it allows
the creation of new content types via a wizard form). You will need to
re-assign this permission to any roles that were using it.

See also the Date project page.


Reported by

Stella Power of the Drupal Security Team


Fixed by

Stella Power and Karen Stevenson, the project maintainer.


Contact

The security contact for Drupal can be reached at security at drupal.org
or via the form at http://drupal.org/contact.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================