===================================================================== CERT-Renater Note d'Information No. 2009/VULN459 _____________________________________________________________________ DATE : 13/11/2009 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running RootCandy for DRUPAL, AddToAny for DRUPAL, Web Services for DRUPAL. ====================================================================== http://drupal.org/node/630168 http://drupal.org/node/630208 http://drupal.org/node/630244 ______________________________________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-099 * Project: RootCandy (third-party theme) * Version: 6.x * Date: 2009-November-11 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION --------------------------------------------------------- RootCandy is a theme specifically designed for use in the administration section. The theme fails to sanitize a URL value, leading to a Cross Site Scripting (XSS [1]) vulnerability. - -------- VERSIONS AFFECTED --------------------------------------------------- * RootCandy theme for Drupal 6.x prior to RootCandy 6.x-1.5 [2] Drupal core is not affected. If you do not use the contributed RootCandy theme [3], there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use the RootCandy theme for Drupal 6.x upgrade to RootCandy 6.x-1.5 [4] - -------- REPORTED BY --------------------------------------------------------- * Reported by Jim McIntyre - -------- FIXED BY ------------------------------------------------------------ * Fixed by Marek Sotak [5], the theme maintainer - -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/629894 [3] http://drupal.org/project/rootcandy [4] http://drupal.org/node/629894 [5] http://drupal.org/user/37679 ____________________________________________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-100 * Project: AddToAny (third-party module) * Version: 5.x, 6.x * Date: 2009 November 11 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION --------------------------------------------------------- AddToAny module provides a share button for AddToAny service for social networks. The module fails to sanitize a value in node title, leading to a Cross Site Scripting (XSS [1]) vulnerability. - -------- VERSIONS AFFECTED --------------------------------------------------- * AddToAny module for Drupal 6.x prior to AddToAny 6.x-2.4 [2] * AddToAny module for Drupal 5.x prior to AddToAny 5.x-2.4 [3] Drupal core is not affected. If you do not use the contributed AddToAny module [4], there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use the AddToAny module for Drupal 6.x upgrade to AddToAny 6.x-2.4 [5] * If you use the AddToAny module for Drupal 5.x upgrade to AddToAny 5.x-2.4 [6] - -------- REPORTED BY --------------------------------------------------------- * Reported by Jakub Suchy [7] of the Drupal Security Team. - -------- FIXED BY ------------------------------------------------------------ * Fixed by Pat Diven [8], the module maintainer. - -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/601110 [3] http://drupal.org/node/630198 [4] http://drupal.org/project/addtoany [5] http://drupal.org/node/601110 [6] http://drupal.org/node/630198 [7] http://drupal.org/user/31977 [8] http://drupal.org/user/260224 _______________________________________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-101 * Project: Web Services (third-party theme) * Version: 6.x * Date: 2009-November-11 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Access Bypass - -------- DESCRIPTION --------------------------------------------------------- The Web Services module provides an API for other sites to communicate with a Drupal site, enabling the publishing of content, change of user information, or simply integration of a Flash application. The module fails to implement proper access checks, leading to an Access Bypass vulnerability. - -------- VERSIONS AFFECTED --------------------------------------------------- * Web Services module, all versions. Drupal core is not affected. If you do not use the contributed Web Services [1] module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Web Services module is not maintained and there is no direct solution. Disable the module. The Services [2] module, from which Web Services was forked, may be a possible replacement depending on your requirements. - -------- REPORTED BY --------------------------------------------------------- * Reported by Paolo Sinelli - -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/webservices [2] http://drupal.org/project/services ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================