===================================================================== CERT-Renater Note d'Information No. 2009/VULN444 _____________________________________________________________________ DATE : 05/11/2009 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running User Protect for Drupal, Node Hierarchy for Drupal, Presentation Player for Drupal, Temporary Invitation for Drupal, NGP COO/CWP Integration for Drupal, Smartqueues for Organic Groups for Drupal, Link for Drupal, Organic Groups Vocabulary for Drupal, Zoomify for Drupal. ====================================================================== http://drupal.org/node/623162 http://drupal.org/node/623490 http://drupal.org/node/623508 http://drupal.org/node/623526 http://drupal.org/node/623546 http://drupal.org/node/623554 http://drupal.org/node/623562 http://drupal.org/node/623674 http://drupal.org/node/623678 ______________________________________________________________________ * Advisory ID: SA-CONTRIB-2009-09-090 * Project: User Protect (third-party module) * Version: 5.x, 6.x * Date: 2009-November-04 * Security risk: Moderate * Exploitable from: Remote * Vulnerability: Cross site request forgery - -------- DESCRIPTION --------------------------------------------------------- User Protect provides various editing protection for users. The protections can be specific to a user, or applied to all users in a role. User administrators can be individually configured to be allowed to bypass the protections. The Drupal Forms API protects against cross site request forgeries (CSRF [1]), where a malicious site can cause a user to unintentionally submit a form to a site where he is authenticated. The link for deleting user protections and administrator bypasses does not follow the standard Forms API submission model and is therefore not protected against this type of attack. A CSRF [2] attack may result in the deletion of protections for users, or administrator bypass settings for user administrators. - -------- VERSIONS AFFECTED --------------------------------------------------- * User Protect for Drupal 5.x before User Protect 5.x-1.4 * User Protect for Drupal 6.x before User Protect 6.x-1.3 Drupal core is not affected. If you do not use the contributed User Protect module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Drupal 5.x upgrade to User Protect 5.x-1.4 [3]. * If you use Drupal 6.x upgrade to User Protect 6.x-1.3 [4]. Please note that update.php *must* be run as part of this upgrade in order for the issue to be fully fixed. See also the User Protect project page [5]. - -------- REPORTED BY --------------------------------------------------------- Chad Phillips [6]. - -------- FIXED BY ------------------------------------------------------------ Chad Phillips [7]. - -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Csrf [2] http://en.wikipedia.org/wiki/Csrf [3] http://drupal.org/node/623180 [4] http://drupal.org/node/623186 [5] http://drupal.org/project/userprotect [6] http://drupal.org/user/22079 [7] http://drupal.org/user/22079 ________________________________________________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-091 * Project: Node Hierarchy (third-party module) * Version: 6.x, 5.x * Date: 2009 November 4 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION --------------------------------------------------------- The Node Hierarchy module enables a site administrator to arrange their site into a tree-like structure. When displaying the list of children for a node the module does not properly sanitize the titles of the child nodes before outputting them, leading to a cross-site scripting [1] (XSS) vulnerability which would allow a user with the ability to edit the nodes to gain full administrative access. - -------- VERSIONS AFFECTED --------------------------------------------------- * Node Hierarchy versions for Drupal 6.x prior to 6.x-1.3 * Node Hierarchy versions for Drupal 5.x prior to 5.x-1.3 Drupal core is not affected. If you do not use the contributed Node Hierarchy module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Node Hierarchy for Drupal 6.x upgrade to version 6.x-1.3 [2] * If you use Node Hierarchy for Drupal 5.x upgrade to version 5.x-1.3 [3] See also the Node Hierarchy [4] project page. - -------- REPORTED BY --------------------------------------------------------- * mr.baileys [5]. - -------- FIXED BY ------------------------------------------------------------ * Ronan Dowling [6], the module maintainer. - -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/622092 [3] http://drupal.org/node/622100 [4] http://drupal.org/project/nodehierarchy [5] http://drupal.org/user/383424 [6] http://drupal.org/user/72815 ________________________________________________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-092 * Project: S5 Presentation Player (third-party module) * Version: 6.x * Date: 2009 November 4 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION --------------------------------------------------------- The S5 Presentation Player module enables the creation of an S5 slideshow using content from the site. The module does not properly sanitize user supplied text it includes in the HTML HEAD section, leading to a cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. - -------- VERSIONS AFFECTED --------------------------------------------------- * S5 Presentation Player 6.x-1.x prior to 6.x-1.1 Drupal core is not affected. If you do not use the contributed S5 Presentation Player module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the S5 Presentation Player for Drupal 6.x-1.x upgrade to S5 Presentation Player 6.x-1.1 [2] See also the S5 Presentation Player module project page [3]. - -------- REPORTED BY --------------------------------------------------------- * Gábor Hojtsy [4] of the Drupal Security team - -------- FIXED BY ------------------------------------------------------------ * Greg Knaddison [5], the module maintainer, of the Drupal Security team - -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/617136 [3] http://drupal.org/project/s5 [4] http://drupal.org/user/4166 [5] http://drupal.org/user/36762 _________________________________________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-093 * Project: Temporary Invitation (third-party module) * Version: 5.x * Date: 2009 November 4 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION --------------------------------------------------------- The Temporary Invitation module enables site users to invite guests for a limited timespan. For each invitation, a new user is created, together with a login code (e.g. "EbN2F3") that the user can use to log in. The module fails to sanitize a value in Name field which is included in the invitation, leading to a Cross Site Scripting (XSS [1]) vulnerability. - -------- VERSIONS AFFECTED --------------------------------------------------- * Temporary Invitation module for Drupal 5.x prior to Temporary Invitation 5.x-2.3 [2] Drupal core is not affected. If you do not use the contributed Temporary invitation module [3], there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Temporary Invitation module for Drupal 5.x upgrade to version 5.x-2.3 [4] - -------- REPORTED BY --------------------------------------------------------- * Reported by Wolfgang Ziegler [5], the module maintainer. - -------- FIXED BY ------------------------------------------------------------ * Fixed by Wolfgang Ziegler [6], the module maintainer. - -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/623018 [3] http://drupal.org/project/temporary_invitation [4] http://drupal.org/node/623018 [5] http://drupal.org/user/16747 [6] http://drupal.org/user/16747 ______________________________________________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-094 * Project: NGP COO/CWP Integration (crmngp) (third-party module) * Version: 6.x * Date: 2009-November-4 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross-site scripting and Access bypass - -------- DESCRIPTION --------------------------------------------------------- The NGP COO/CWP Integration module provides Drupal integration with the NGP Software API for efficient campaign management. An administration page did not properly implement access control thereby allowing untrusted users to view module log information. User-supplied information was not filtered on output allowing a cross-site scripting (XSS [1]) attack. - -------- VERSIONS AFFECTED --------------------------------------------------- * NGP COO/CWP Integration versions for Drupal 6.x prior to 6.x-1.12 Drupal core is not affected. If you do not use the contributed NGP COO/CWP Integration module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use NGP COO/CWP Integration for Drupal 6.x upgrade to version 6.x-1.13 [2] See also the NGP COO/CWP Integration [3] project page. - -------- REPORTED BY --------------------------------------------------------- * Access bypass reported by Dylan Wilder-Tack [4] * Cross-site scripting reported by Benjamin Jeavons [5] - -------- FIXED BY ------------------------------------------------------------ * XSS vulnerability fixed by Sean Robertson [6], the module maintainer * Access bypass vulnerability fixed by Dylan Wilder-Tack [7] - -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/623506 [3] http://drupal.org/project/crmngp [4] http://drupal.org/user/96647 [5] http://drupal.org/user/91990 [6] https://drupal.org/user/7074 [7] http://drupal.org/user/96647 ______________________________________________________________________ * Advisory ID: SA-CONTRIB-2009-095 * Project: Smartqueues for Organic Groups (smartqueue_og) (third-party module) * Version: 6.x * Date: 2009 November 4 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Access bypass - -------- DESCRIPTION --------------------------------------------------------- The Smartqueue_og [1] module uses Nodequeue's Smartqueue API to provide a Nodequeue [2] for organic groups which is editable by members of that group or the group's administrators. Users with the "administer nodequeue" permission have the option to batch create subqueues (individual instances of a queue) for all eligible organic group nodes. For each subqueue that is created, a confirmation message is displayed containing the name of the organic group. The displayed message does not check that the current user has permission to view the group node. A similar message is also displayed when an eligible group node is submitted. Smartqueue_og users should also note: Subqueue titles contain the title of the organic group node to which the subqueue is related. Users with the 'manipulate all queues' or 'manipulate all og queues' permissions will be able to view all smartqueue_og subqueue titles, and therefore the node titles of all groups that have a subqueue, regardless of node access restrictions. This is by design and is not changed in the latest version. - -------- VERSIONS AFFECTED --------------------------------------------------- * Smartqueue_og module for Drupal 6.x prior to Smartqueue_og 6.x-1.0-rc3 [3] * Smartqueue_og module for Drupal 5.x prior to Smartqueue_og 5.x-1.3 [4] Drupal core is not affected. If you do not use the contributed Smartqueue_og module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version. * If you use the Smartqueue_og module for Drupal 6.x upgrade to Smartqueue_og module 6.x-1.0-rc3 [5] * If you use the Smartqueue_og module for Drupal 5.x upgrade to Smartqueue_og module 5.x-1.3 [6]. See also the Smartqueue_og [7] module project page. - -------- REPORTED BY --------------------------------------------------------- * Ezra Barnett Gildesgame [8], the module maintainer. - -------- FIXED BY ------------------------------------------------------------ * Ezra Barnett Gildesgame [9], the module maintainer. - -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security@drupal.org [10] or via the form at http://drupal.org/contact. [1] http://drupal.org/project/smartqueue_og [2] http://drupal.org/project/nodequeue [3] http://drupal.org/node/617496 [4] http://drupal.org/node/617500 [5] http://drupal.org/node/617496 [6] http://drupal.org/node/617500 [7] http://drupal.org/project/smartqueue_og [8] http://drupal.org/user/69959 [9] http://drupal.org/user/69959 [10] mailto:security@drupal.org ______________________________________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-096 * Project: Link (third-party module) * Version: 5.x, 6.x * Date: 2009-November-4 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION --------------------------------------------------------- The Link module provides a CCK field which enables links to be added to content types, that can include a URL, title, and target attribute. When using the "Separate title and URL" formatter supplied by the module, the link title field is not sanitized before being displayed, leading to a Cross Site Scripting (XSS [1]) vulnerability. - -------- VERSIONS AFFECTED --------------------------------------------------- * Link module for Drupal 6.x prior to Link 6.x-2.7 [2] * Link module for Drupal 5.x prior to Link 5.x-2.6 [3] Drupal core is not affected. If you do not use the contributed Link module [4], there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Link module for Drupal 6.x upgrade to version 6.x-2.7 [5] * If you use Link module for Drupal 5.x upgrade to version 5.x-2.6 [6] - -------- REPORTED BY --------------------------------------------------------- * Reported by mr.baileys [7] - -------- FIXED BY ------------------------------------------------------------ * Fixed by dropcube [8], Link module co-maintainer, and mr.baileys [9] - -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/620668 [3] http://drupal.org/node/620662 [4] http://drupal.org/project/link [5] http://drupal.org/node/620668 [6] http://drupal.org/node/620662 [7] http://drupal.org/user/383424 [8] http://drupal.org/user/37031 [9] http://drupal.org/user/383424 ____________________________________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-097 * Project: Organic Groups Vocabulary (third-party module) * Version: 6.x * Date: 2009-November-4 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION --------------------------------------------------------- The Organic Groups Vocabulary module enables a vocabulary to be restricted for use to a specific Organic Group. The module does not sanitize before outputting the group title in some cases, resulting in a cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. - -------- VERSIONS AFFECTED --------------------------------------------------- * Organic Groups Vocabulary versions for Drupal 6.x prior to Organic Groups Vocabulary 6.x-1.1 [2] Drupal core is not affected. If you do not use the contributed Organic Groups Vocabulary module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Organic Groups Vocabulary for Drupal 6.x upgrade to version 6.x-1.1 [3] See also the Organic Groups Vocabulary module project page [4]. - -------- REPORTED BY --------------------------------------------------------- * Stéphane Corlosquet [5] of the Drupal Security Team and Dylan Wilder-Tack [6] - -------- FIXED BY ------------------------------------------------------------ * Amitaibu [7], the module maintainer - -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/621960 [3] http://drupal.org/node/621960 [4] http://drupal.org/project/og_vocab [5] http://drupal.org/user/52142 [6] http://drupal.org/user/96647 [7] http://drupal.org/user/57511 _________________________________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-098 * Project: Zoomify (third-party module) * Version: 5.x, 6.x * Date: 2009-November-4 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION --------------------------------------------------------- The Zoomify module integrates the Zoomify Flash applet into Drupal which can be used to pan and zoom on large images. Images are first preprocessed in order for Zoomify to work. The module fails to sanitize a value in the node title, leading to a Cross Site Scripting (XSS [1]) vulnerability. - -------- VERSIONS AFFECTED --------------------------------------------------- * Zoomify module for Drupal 6.x prior to Zoomify 6.x-1.4 [2] * Zoomify module for Drupal 5.x prior to Zoomify 5.x-2.2 [3] Drupal core is not affected. If you do not use the contributed Zoomify module [4], there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Zoomify module for Drupal 6.x upgrade to Zoomify 6.x-1.4 [5] * If you use Zoomify module for Drupal 5.x upgrade to Zoomify 5.x-2.2 [6] - -------- REPORTED BY --------------------------------------------------------- * Reported by Dylan Wilder-Tack [7], the module maintainer - -------- FIXED BY ------------------------------------------------------------ * Fixed by Karim Ratib [8], the module maintainer - -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/623434 [3] http://drupal.org/node/623436 [4] http://drupal.org/project/zoomify [5] http://drupal.org/node/623434 [6] http://drupal.org/node/623436 [7] http://drupal.org/user/96647 [8] http://drupal.org/user/48424 ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================