===================================================================== CERT-Renater Note d'Information No. 2009/VULN430 _____________________________________________________________________ DATE : 23/10/2009 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Moodle Course List module for DRUPAL, Flag Content for DRUPAL, Userpoints for DRUPAL, Organic Groups Vocabulary for DRUPAL, vCard module for DRUPAL, Simplenews Statisticsfor DRUPAL, Abuse for DRUPAL. ====================================================================== http://drupal.org/node/610986 http://drupal.org/node/610868 http://drupal.org/node/610818 http://drupal.org/node/610948 http://drupal.org/node/610996 http://drupal.org/node/611002 http://drupal.org/node/611078 ______________________________________________________________________ _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-078 * Project: Moodle Course List module (third-party module) * Version: 6.x * Date: 2009-October-21 * Security risk: Critical * Exploitable from: Remote * Vulnerability: SQL Injection - -------- DESCRIPTION - --------------------------------------------------------- The Moodle Course List module provides a block which displays links to a user's Moodle courses. In some cases the module does not properly sanitize user input, leading to a SQL Injection (SQL Injection [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. - -------- VERSIONS AFFECTED - --------------------------------------------------- * Moodle Course List module versions 6.x prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed Moodle Course List module, there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Install the latest version: * If you use the Moodle Course List module for Drupal 6.x upgrade to Moodle Course List module 6.x-1.2 [2] See also the Moodle Course List module project page [3]. - -------- REPORTED BY - --------------------------------------------------------- Charlie Gordon [4] - -------- FIXED BY - ------------------------------------------------------------ Adam Gerson [5], the module maintainer. - -------- CONTACT - ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/SQL_Injection [2] http://drupal.org/node/569734 [3] http://drupal.org/project/moodle_courselist [4] http://drupal.org/user/157412 [5] http://drupal.org/user/293615 ______________________________________________________________________ - --------------------------BEGIN INCLUDED TEXT-------------------- * Advisory ID: DRUPAL-SA-CONTRIB-2009-076 * Project: Flag Content (third-party module) * Version: 5.x * Date: 2009-October-21 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION - --------------------------------------------------------- The Flag Content module enables users to flag nodes and users for the attention of a site maintainer (e.g. for abuse, spam, trolling, ...etc.). In some specific cases, the module does not sanitize before outputting the Reason field, resulting in a cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. - -------- VERSIONS AFFECTED - --------------------------------------------------- * Flag Content 5.x-2.x prior to 5.x-2.10 Drupal core is not affected. If you do not use the contributed Flag Content module, there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Install the latest version: * If you use Flag Content module for Drupal 5.x upgrade to Flag Content 5.x-2.10 [2] - -------- REPORTED BY - --------------------------------------------------------- patPrzybilla [3]. - -------- FIXED BY - ------------------------------------------------------------ kbahey [4], the module maintainer. - -------- CONTACT - ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/610870 [3] http://drupal.org/user/151965 [4] http://drupal.org/user/4063 _____________________________________________________________________ _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-077 * Project: Userpoints (third party module) * Version: 6.x * Date: 2009-October-21 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Information disclosure - -------- DESCRIPTION - --------------------------------------------------------- The Userpoints module enables the users of a site to gain or lose points based on their activity. There is a vulnerability in the module which allows any user with the "View own userpoints" permission to view the userpoints data of any user, not just their own. - -------- VERSIONS AFFECTED - --------------------------------------------------- * Userponts module versions 6.x prior to 6.x-1.1 Drupal core is not affected. If you do not use the contributed Userpoints module, there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Install the latest version. * If you use the Userpoints module for Drupal 6.x upgrade to Userpoints module 6.x-1.1 [1] See also the Userpoints module project page [2]. - -------- REPORTED BY - --------------------------------------------------------- mr.baileys [3]. - -------- FIXED BY - ------------------------------------------------------------ kbahey [4] the module maintainer. - -------- CONTACT - ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/610828 [2] http://drupal.org/project/userpoints [3] http://drupal.org/user/383424 [4] http://drupal.org/user/4063 ___________________________________________________________________ _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-075 * Project: Organic Groups Vocabulary (third-party module) * Version: 5.x * Date: 2009-October-21 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION - --------------------------------------------------------- The Organic Groups Vocabulary module enables an organic group to have a group specific vocabulary. In some specific cases, the module does not sanitize before outputting the group title, resulting in a cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. - -------- VERSIONS AFFECTED - --------------------------------------------------- * Organic Groups Vocabulary versions for Drupal 5.x before Organic Groups Vocabulary 5.x-1.1 [2] Drupal core is not affected. If you do not use the contributed Organic Groups Vocabulary module, there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Upgrade to the latest version: * If you use Organic Groups Vocabulary for Drupal 5.x upgrade to version 5.x-1.1 [3] See also the Organic Groups Vocabulary module project page [4]. - -------- REPORTED BY - --------------------------------------------------------- Stéphane Corlosquet [5] of the Drupal Security Team. - -------- FIXED BY - ------------------------------------------------------------ Amitaibu [6], the module maintainer. - -------- CONTACT - ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/605094 [3] http://drupal.org/node/605094 [4] http://drupal.org/project/og_vocab [5] http://drupal.org/user/52142 [6] http://drupal.org/user/57511 ________________________________________________________________________ _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-079 * Project: vCard module (third-party module) * Version: 6.x, 5.x * Date: 2009-October-21 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION - --------------------------------------------------------- The vCard module adds a vCard download link to every user's profile. This link makes it easy to add users from a Drupal site to a local address book. When the theme_vcard() function is added to a theme and default content from the vCard module is output, the site will be vulnerable to Cross Site Scripting attack (XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. - -------- VERSIONS AFFECTED - --------------------------------------------------- * vCard module versions 6.x prior to 6.x-1.3 * vCard module versions 5.x prior to 5.x-1.4 Drupal core is not affected. If you do not use the contributed vCard module, there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Install the latest version: * If you use the vCard module for Drupal 6.x upgrade to vCard module 6.x-1.3 [2] * If you use the vCard module for Drupal 5.x upgrade to vCard module 5.x-1.4 [3] See also the vCard module project page [4]. - -------- REPORTED BY - --------------------------------------------------------- John Morahan [5] - -------- FIXED BY - ------------------------------------------------------------ sanduhrs [6], the module maintainer. - -------- CONTACT - ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross_Site_Scripting [2] http://drupal.org/node/610420 [3] http://drupal.org/node/610416 [4] http://drupal.org/project/vCard [5] http://drupal.org/user/58170 [6] http://drupal.org/user/28074 ________________________________________________________________ _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-080 * Project: Simplenews Statistics (third-party module) * Version: 6.x * Date: 2009 October 21 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities (XSS, CSRF, Open Redirect) - -------- DESCRIPTION - --------------------------------------------------------- The Simplenews Statistics module provides newsletter statistics such as the open rate and CTR (click-through rate). The module suffers multiple vulnerabilities, including Cross Site Request Forgeries (CSRF [1]), Cross Site Scripting problem (Cross Site Scripting [2]) and Open Redirect. This problem allows an attacker to hijack the account of a logged in user by tricking them into visiting a seemingly innocent page. - -------- VERSIONS AFFECTED - --------------------------------------------------- * Simplenews Statistics 6.x prior to 6.x-2.0 Drupal core is not affected. If you do not use the contributed Simplenews Statistics module, there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Upgrade to the latest version: * If you use Simplenews Statistics for Drupal 6.x upgrade to version 6.x-2.0 [3] - -------- REPORTED BY - --------------------------------------------------------- * Open redirect vulnerability reported by John Pettitt * XSS and CSRF vulnerability reported by Dylan Wilder-Tack [4] - -------- FIXED BY - ------------------------------------------------------------ * Fixed by Sjoerd Arendsen [5]. - -------- CONTACT - ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Csrf [2] http://en.wikipedia.org/wiki/XSS [3] http://drupal.org/node/590098 [4] http://drupal.org/user/96647 [5] http://drupal.org/user/310132 _________________________________________________________________________ _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-081 * Project: Abuse (third-party module) * Version: 5.x, 6.x * Date: 2009 October 21 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION - --------------------------------------------------------- The Abuse module enables users to flag nodes and comments as offensive, bringing them to the attention of the site maintainer for review. The module suffers from a Cross Site Scripting (Cross Site Scripting [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. - -------- VERSIONS AFFECTED - --------------------------------------------------- * Abuse 6.x prior to 6.x-1.1-alpha1 * Abuse 5.x prior to 5.x-2.1 Drupal core is not affected. If you do not use the contributed Abuse module, there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Upgrade to the latest version: * If you use Abuse for Drupal 6.x upgrade to version 6.x-1.1-alpha1 [2] * If you use Abuse for Drupal 5.x upgrade to version 5.x-2.1 [3] - -------- REPORTED BY - --------------------------------------------------------- * Reported by Mustafa ULU [4]. - -------- FIXED BY - ------------------------------------------------------------ * Fixed by Ashok Modi [5]. - -------- CONTACT - ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/XSS [2] http://drupal.org/node/610900 [3] http://drupal.org/node/610784 [4] http://drupal.org/user/207559 [5] http://drupal.org/user/60422 _______________________________________________ ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================