===================================================================== CERT-Renater Note d'Information No. 2009/VULN466 _____________________________________________________________________ DATE : 19/11/2009 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running PHPList Integration Module for DRUPAL, Strongarm for DRUPAL, Feed Element Mapper for DRUPAL, Subgroups for Organic Groups for DRUPAL, Agreement for DRUPAL, Ubercart for DRUPAL, Gallery Assist for DRUPAL, Printfriendly for DRUPAL. ====================================================================== http://drupal.org/node/636412 http://drupal.org/node/636462 http://drupal.org/node/636518 http://drupal.org/node/636562 http://drupal.org/node/636568 http://drupal.org/node/636576 http://drupal.org/node/636660 http://drupal.org/node/636678 ______________________________________________________________________ - --------------------------BEGIN INCLUDED TEXT-------------------- * Advisory ID: DRUPAL-SA-CONTRIB-2009-102 * Project: PHPList Inegration Module (third-party module) * Version: 5.x, 6.x * Date: 2009-November-18 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Cross site request forgery - -------- DESCRIPTION - --------------------------------------------------------- The PHPList module provides a basic level of integration between Drupal and the PHPList mailing list application. The Drupal Forms API protects against cross site request forgeries (CSRF), where a malicious site can cause a user to unintentionally submit a form to a site where they are authenticated. The links for subscribing and un-subscribing to and from mailing lists in "My Account" do not follow the standard Forms API submission model and are therefore not protected against this type of attack. A CSRF attack may result in unintentional subscription or un-subscription of site users to PHPList mailing lists. - -------- VERSIONS AFFECTED - --------------------------------------------------- * PHPList Integration Module for Drupal 5 before 5.x-1.2 * PHPList Integration Module for Drupal 6 before 6.x-1.1 Drupal core is not affected. If you do not use the contributed PHPList Integration module, there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Install the latest version: If you use Drupal 5.x upgrade to PHPList Integration Module 5.x-1.2 [1]. If you use Drupal 6.x upgrade to PHPList Integration Module 6.x-1.1 [2]. See also the PHPList Integration Module [3] project page. - -------- REPORTED BY - --------------------------------------------------------- Peter Wolanin [4] of the Drupal Security Team - -------- FIXED BY - ------------------------------------------------------------ Paul Beaney [5] the module maintainer. - -------- CONTACT - ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/636400 [2] http://drupal.org/node/636398 [3] http://drupal.org/project/phplist [4] http://drupal.org/user/49851 [5] http://drupal.org/user/204611 _______________________________________________________________________ _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-103 * Project: Strongarm (third-party module) * Version: 6.x * Date: 2009 November 18 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION - --------------------------------------------------------- The Strongarm module enables other modules to enforce variable settings programmatically. It can also be used to override any of these variables, and lets the administrator see which variables have been overridden, along with their current values. When using the settings page to see overridden variables, the value field is not sanitized before being displayed, leading to a Cross Site Scripting (XSS [1]) vulnerability. - -------- VERSIONS AFFECTED - --------------------------------------------------- * Strongarm module for Drupal 6.x prior to Strongarm 6.x-1.1 [2] Drupal core is not affected. If you do not use the contributed Strongarm [3] module, there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Upgrade to the latest version: * If you use Strongarm module for Drupal 6.x upgrade to version 6.x-1.1 [4] - -------- REPORTED BY - --------------------------------------------------------- * Reported by bengtan [5] - -------- FIXED BY - ------------------------------------------------------------ * Fixed by jmiccolis [6], the module maintainer - -------- CONTACT - ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/636474 [3] http://drupal.org/project/strongarm [4] http://drupal.org/node/636474 [5] http://drupal.org/user/132729 [6] http://drupal.org/user/31731 ________________________________________________________________________ _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-104 * Project: Feed Element Mapper (third-party module) * Version: 5.x, 6.x * Date: 2009-November-18 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION - --------------------------------------------------------- Feed Element Mapper is an add-on module for FeedAPI that maps elements on a feed item such as tags, or the author name, to taxonomy or CCK fields. These mappings are configurable by a point and click interface. When configuring the mapping, some values coming from external feeds are not sanitized before they are displayed, leading to a Cross Site Scripting (XSS [1]) - -------- VERSIONS AFFECTED - --------------------------------------------------- * Feed Element Mapper module for Drupal 6.x prior to Feed Element Mapper 6.x-1.3 [2] * Feed Element Mapper module for Drupal 5.x prior to Feed Element Mapper 5.x-1.3 [3] Drupal core is not affected. If you do not use the contributed Feed Element Mapper [4] module, there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Upgrade to the latest version: * If you use Feed Element Mapper module for Drupal 6.x upgrade to version 6.x-1.3 [5] * If you use Feed Element Mapper module for Drupal 5.x upgrade to version 5.x-1.3 [6] If you use one of the unsupported Feed element mapper 6.x-2.0 alpha versions, upgrade to Feed Element Mapper 6.x-1.0-alpha4 [7]. - -------- REPORTED BY - --------------------------------------------------------- * Reported by Jose Reyero [8], from the Drupal Security Team - -------- FIXED BY - ------------------------------------------------------------ * Fixed by alex_b [9], the module maintainer - -------- CONTACT - ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/636498 [3] http://drupal.org/node/636496 [4] http://drupal.org/project/feedapi_mapper [5] http://drupal.org/node/636498 [6] http://drupal.org/node/636496 [7] http://drupal.org/node/636500 [8] http://drupal.org/user/4299 [9] http://drupal.org/user/53995 _____________________________________________________________________ _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-105 * Project: Subgroups for Organic Groups (third-party module) * Version: 5.x * Date: 2009-November-18 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION - --------------------------------------------------------- The Subgroups For Organic Groups module enables users to set group hierarchy. The module does not filter the titles of some nodes before output, leading to a cross-site scripting (XSS [1]) vulnerability. - -------- VERSIONS AFFECTED - --------------------------------------------------- * Subgroups For Organic Groups versions for Drupal 5.x prior to 5.x-4.0 Drupal core is not affected. If you do not use the contributed Subgroups For Organic Groups module, there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Upgrade to the latest version: * If you use the Subgroups For Organic Groups 3.3 release for Drupal 5.x upgrade to version 5.x-3.4 [2] * If you use the Subgroups For Organic Groups 2.0 release for Drupal 5.x upgrade to versions 5.x-3.4 [3] or 5.x-4.0 [4] See also the Subgroups For Organic Groups [5] project page. - -------- REPORTED BY - --------------------------------------------------------- * The vulnerability was reported by Greg Knaddison [6] - -------- FIXED BY - ------------------------------------------------------------ * XSS vulnerability fixed by Ezra Barnett Gildesgame [7], Subgroups For Organic Groups module maintainer - -------- CONTACT - ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross_Site_Scripting [2] http://drupal.org/node/630004 [3] http://drupal.org/node/630004 [4] http://drupal.org/node/270602 [5] http://drupal.org/project/og_subgroups [6] http://drupal.org/user/36762 [7] http://drupal.org/user/69959 _________________________________________________________________________ _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-106 * Project: Agreement (third-party module) * Version: 6.x * Date: 2009-November-18 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION - --------------------------------------------------------- The Agreement module enables the display of a text-based agreement (think "Terms of Service") that users of a particular role must accept before they are given access to the site. The module does not sanitize some of the user-supplied fields, leading to a Cross Site Scripting (XSS [1]) vulnerability. - -------- VERSIONS AFFECTED - --------------------------------------------------- * Agreement module for Drupal 6.x prior to Agreement 6.x-1.2 [2] Drupal core is not affected. If you do not use the contributed Agreement module [3], there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Upgrade to the latest version: * If you use the Agreement module for Drupal 6.x upgrade to Agreement 6.x-1.2 [4] - -------- REPORTED BY - --------------------------------------------------------- * Reported by Dylan Wilder-Tack [5] - -------- FIXED BY - ------------------------------------------------------------ * Fixed by Yuriy Babenko [6], the module maintainer. - -------- CONTACT - ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/631538 [3] http://drupal.org/project/agreement [4] http://drupal.org/node/631538 [5] http://drupal.org/user/96647 [6] http://drupal.org/user/212855 _________________________________________________________________ _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-107 * Project: Ubercart (third-party module) * Version: 5.x, 6.x * Date: 2009-November-18 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Access bypass, Cross-site request forgery - -------- DESCRIPTION - --------------------------------------------------------- Ubercart's PayPal Website Payments Standard integration exposes a path for completed orders without properly checking that the order is valid for the current user. In the event that the order has already been processed for checkout, this can result in duplicate actions taking place inadvertently. Furthermore, if the checkout completion message has been modified to include order details, information disclosure can happen. The Ubercart order management was also affected by a minor cross-site request forgery vulnerability. - -------- VERSIONS AFFECTED - --------------------------------------------------- * Ubercart module for Drupal 6.x prior to Ubercart 6.x-2.1 [1] * Ubercart module for Drupal 5.x prior to Ubercart 5.x-1.9 [2] Drupal core is not affected. If you do not use the contributed Ubercart [3] module, there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Upgrade to the latest version: * If you use Ubercart module for Drupal 6.x upgrade to version 6.x-2.1 [4] * If you use Ubercart module for Drupal 5.x upgrade to version 5.x-1.9 [5] - -------- REPORTED BY - --------------------------------------------------------- * Reported by Daniel Duvall [6] - -------- FIXED BY - ------------------------------------------------------------ * Fixed by Ryan Szrama [7], the module maintainer - -------- CONTACT - ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/636616 [2] http://drupal.org/node/636614 [3] http://drupal.org/project/ubercart [4] http://drupal.org/node/636616 [5] http://drupal.org/node/636614 [6] http://drupal.org/user/584298 [7] http://drupal.org/user/49344 __________________________________________________________________ _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-108 * Project: Gallery Assist (third-party module) * Version: 6.x * Date: 2009-November-18 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION - --------------------------------------------------------- The Gallery Assist module provides a simple way to create image galleries on a site. The module does not sanitize node titles, leading to a Cross Site Scripting (XSS [1]) vulnerability. - -------- VERSIONS AFFECTED - --------------------------------------------------- * Gallery Assist module for Drupal 6.x prior to Gallery Assist 6.x-1.7 [2] Drupal core is not affected. If you do not use the contributed Gallery Assist module [3], there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Upgrade to the latest version: * If you use the Gallery Assist module for Drupal 6.x upgrade to Gallery Assist 6.x-1.7 [4] - -------- REPORTED BY - --------------------------------------------------------- * Reported by Dylan Wilder-Tack [5] - -------- FIXED BY - ------------------------------------------------------------ * Fixed by Juan Carlos Morejon Carabajo [6], the module maintainer. - -------- CONTACT - ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/636488 [3] http://drupal.org/project/gallery_assist [4] http://drupal.org/node/636488 [5] http://drupal.org/user/96647 [6] http://drupal.org/user/320731 ____________________________________________________________________ _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-109 * Project: Printfriendly (third-party module) * Version: 6.x * Date: 2009-November-18 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION - --------------------------------------------------------- The Printfriendly module integrates with printfriendly.com's print service. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability. - -------- VERSIONS AFFECTED - --------------------------------------------------- * Printfriendly module for Drupal 6.x prior to Printfriendly 6.x-1.6 [2] Drupal core is not affected. If you do not use the contributed Printfriendly module [3], there is nothing you need to do. - -------- SOLUTION - ------------------------------------------------------------ Upgrade to the latest version: * If you use the Printfriendly module for Drupal 6.x upgrade to Printfriendly 6.x-1.6 [4] - -------- REPORTED BY - --------------------------------------------------------- * Reported by Dylan Wilder-Tack [5] - -------- FIXED BY - ------------------------------------------------------------ * Fixed by Emil Stjerneman [6], the module maintainer. - -------- CONTACT - ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/636670 [3] http://drupal.org/project/printfriendly [4] http://drupal.org/node/636670 [5] http://drupal.org/user/96647 [6] http://drupal.org/user/464598 _______________________________________________ ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================