===================================================================== CERT-Renater Note d'Information No. 2010/VULN005 _____________________________________________________________________ DATE : 05/01/2010 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Workflow for DRUPAL, Shibboleth authentication for DRUPAL, Webform for DRUPAL, RealName for DRUPAL, Printer, e-mail and PDF versions for DRUPAL, CCK Comment Reference for DRUPAL, FAQ Ask for DRUPAL, Insert Node for DRUPAL, Storm for DRUPAL, OpenSocial Shindig-Integrator for DRUPAL. ====================================================================== http://drupal.org/node/617456 http://drupal.org/node/604488 http://drupal.org/node/604942 http://drupal.org/node/604760 http://drupal.org/node/604808 http://drupal.org/node/617380 http://drupal.org/node/617444 http://drupal.org/node/617400 http://drupal.org/node/617494 http://drupal.org/node/617422 ______________________________________________________________________ _________________________________________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-088 * Project: Workflow (third-party module) * Version: 6.x, 5.x * Date: 2009-October-28 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - - -------- Description - - --------------------------------------------------------- The Workflow module enables sites to define flexible process management systems. Names of workflows and workflow states are not sanitised to display as plain text, leading to a Cross Site Scripting (XSS) vulnerability. Exploiting this vulnerability would allow a malicious user to gain full administrative access. Mitigating factors: A malicious user would need 'administer workflow' permission to carry out the cross-site-scripting attack. - - -------- Versions affected - - --------------------------------------------------------- * Workflow module versions Drupal 6.x prior to Workflow 6.x-1.2 * Workflow module versions Drupal 5.x prior to Workflow 5.x-2.4 Drupal core is not affected. If you do not use the contributed Workflow module, there is nothing you need to do. - - -------- Solution - - --------------------------------------------------------- Install the latest version. * If you use the Workflow module for Drupal 6.x upgrade to Workflow 6.x-1.2 * If you use the Workflow module for Drupal 5.x upgrade to Workflow 5.x-2.4 - - -------- Reported by - - --------------------------------------------------------- Justin_KleinKeane. - - -------- Fixed by - - --------------------------------------------------------- jvandyk, the module maintainer. - - -------- Contact - - --------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. _____________________________________________________________________________ ___________________________________________________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-070 * Project: Shibboleth authentication (third-party module) * Version: 6.x, 5.x * Date: 2009-October-14 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Impersonation, privilege escalation - - -------- Description - - --------------------------------------------------------- The Shibboleth authentication module provides user authentication and authorisation based on the Shibboleth Web Single Sign-on system. The module does not properly handle the changes of the underlying Shibboleth session. This can result in impersonation and possible privilege escalation if a user leaves the browser unattended (ie. after SAML2 Single Logout). A person using the same browser session but re-authenticated at their IdP might become logged in as the original user (even accidentally). Dynamic roles which are provided by the module are based on the attributes of the new user, however any permissions statically granted to the victim would still be in effect. - - -------- Versions affected - - --------------------------------------------------------- * Shibboleth authentication versions for Drupal 6.x prior to 6.x-3.2 * Shibboleth authentication versions for Drupal 5.x prior to 5.x-3.4 Drupal core is not affected. If you do not use the contributed Shibboleth authentication module, there is nothing you need to do. - - -------- Solution - - --------------------------------------------------------- Upgrade to the latest version: * If you use Shibboleth authentication for Drupal 6.x upgrade to version 6.x-3.2 * If you use Shibboleth authentication for Drupal 5.x upgrade to version 5.x-3.4 See also the Shibboleth authentication project page. - - -------- Reported by - - --------------------------------------------------------- Kristof Bajnok, Shibboleth authentication module maintainer. - - -------- Fixed by - - --------------------------------------------------------- Kristof Bajnok, Shibboleth authentication module maintainer. - - -------- Contact - - --------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. _______________________________________________________________________ __________________________________________________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-074 * Project: Webform (third-party module) * Version: 5.x, 6.x * Date: 2009-October-14 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities - - -------- Description - - --------------------------------------------------------- Cross-site scripting The Webform module enables the creation of custom forms for collecting data from users. The Webform module does not properly escape field labels in certain situations. A malicious user with permission to create webforms could attempt a cross-site scripting (XSS) attack when viewing the result, leading to the user gaining full administrative access. Session data disclosure The Webform module fails to prevent the page from being cached when a default value uses token placeholders. This leads to disclosure of session variables to anonymous users when caching is enabled. - - -------- Versions affected - - --------------------------------------------------------- * Webform for Drupal 6.x prior to 6.x-2.8 * Webform for Drupal 5.x prior to 5.x-2.8 Drupal core is not affected. If you do not use the contributed Webform module, there is nothing you need to do. - - -------- Solution - - --------------------------------------------------------- Upgrade to the latest version: * If you use Webform for Drupal 6.x upgrade to Webform 6.x-2.8 * If you use Webform for Drupal 5.x upgrade to Webform 5.x-2.8 See also the Webform project page. - - -------- Reported by - - --------------------------------------------------------- The XSS issue was reported by Justine Klein Keane. The session disclosure issue was reported by seattlehimay. - - -------- Fixed by - - --------------------------------------------------------- The XSS issue was fixed by Greg Knaddison of the Drupal Security Team. The session disclosure issue was fixed by Nathan Haug, the module maintainer. - - -------- Contact - - --------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. ______________________________________________________________________ __________________________________________________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-072 * Project: RealName (third-party module) * Version: 6.x * Date: 2009-October-14 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - - -------- Description - - --------------------------------------------------------- The RealName module allows the administrator to choose fields from the user profile that will be used to add a "real name" element (method) to a user object. In some specific cases, the module does not sanitize before outputting the realname, resulting in a cross-site scripting (XSS) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. - - -------- Versions affected - - --------------------------------------------------------- * RealName 6.x-1.x prior to 6.x-1.3 Drupal core is not affected. If you do not use the contributed RealName module, there is nothing you need to do. - - -------- Solution - - --------------------------------------------------------- Install the latest version: * If you use the RealName for Drupal 6.x-1.x upgrade to RealName 6.x-1.3 See also the RealName module project page. - - -------- Reported by - - --------------------------------------------------------- mr.baileys - - -------- Fixed by - - --------------------------------------------------------- NancyDru, the module maintainer - - -------- Contact - - --------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. ______________________________________________________________________ ___________________________________________________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-073 * Project: Printer, e-mail and PDF versions (third-party module) * Version: 5.x, 6.x * Date: 2009-October-14 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities - - -------- Description - - --------------------------------------------------------- The Printer, e-mail and PDF versions ("print") module provides printer-friendly versions of content. When displaying the list of links in a page, the module does not properly escape this data, leading to a cross site scripting (XSS) vulnerability. In addition, the "Send by e-mail" sub-module does not properly check for access permissions before displaying the "Send to friend" form, and may display the page title for pages to which the user does not have access (usually as they are unpublished or unauthorized for his role), even though the user is not actually allowed to send them by e-mail. - - -------- Versions affected - - --------------------------------------------------------- * Printer, e-mail and PDF versions 6.x prior to 6.x-1.9 * Printer, e-mail and PDF versions 5.x prior to 5.x-4.9 Drupal core is not affected. If you do not use the contributed Printer, e-mail and PDF versions module, there is nothing you need to do. - - -------- Solution - - --------------------------------------------------------- Install the latest version: * If you use Printer, e-mail and PDF versions for Drupal 6.x upgrade to Printer, e-mail and PDF versions 6.x-1.9 * If you use Printer, e-mail and PDF versions for Drupal 5.x upgrade to Printer, e-mail and PDF versions 5.x-4.9 Or Alternatively: Disable the "Printer-friendly URLs list" in 'admin/settings/print/common' and disable the "Send by e-mail" ("print_mail") module. See also the Printer, e-mail and PDF versions project page. - - -------- Reported by - - --------------------------------------------------------- mcarbone - - -------- Fixed by - - --------------------------------------------------------- jcnventura, the module maintainer - - -------- Contact - - --------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. _________________________________________________________________________ _________________________________________________________________________ - --------------------------BEGIN INCLUDED TEXT-------------------- * Advisory ID: DRUPAL-SA-CONTRIB-2009-083 * Project: CCK Comment Reference (third-party module) * Version: 6.x * Date: 2009-October-28 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Access Bypass - - -------- Description - - --------------------------------------------------------- The CCK Comment Reference module enables administrators to define node fields that are references to comments. Users can access comments through the autocomplete path that the module provides even if they don't have access to read comments. - - -------- Versions affected - - --------------------------------------------------------- * CCK Comment Reference module versions Drupal 6.x prior to CCK Comment Reference 6.x-1.3 * Comment reference module versions Drupal 5.x prior to CCK Comment Reference 5.x-1.2 Drupal core is not affected. If you do not use the contributed CCK Comment Reference module, there is nothing you need to do. - - -------- Solution - - --------------------------------------------------------- Install the latest version. * If you use the CCK Comment Reference module for Drupal 6.x upgrade to CCK Comment Reference 6.x-1.3 * If you use the CCK Comment Reference module for Drupal 6.x upgrade to CCK Comment Reference 5.x-1.2 - - -------- Reported by - - --------------------------------------------------------- * Ben Jeavons of Drupal Security Team. - - -------- Fixed by - - --------------------------------------------------------- * Kristof De Jaeger, the module maintainer. - - -------- Contact - - --------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. __________________________________________________________________________________ __________________________________________________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-087 * Project: FAQ Ask (third-party module) * Version: 6.x * Date: 2009 October 28 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Multiple Vulnerabilities (XSS, CSRF, Open Redirect) - - -------- Description - - --------------------------------------------------------- The FAQ Ask module enables site users to ask questions for experts to answer. The module suffers multiple vulnerabilities, including Cross Site Request Forgeries (CSRF) and Cross Site Scripting problems (Cross Site Scripting). These vulnerabilities allow an attacker to hijack the account of a logged in user by tricking them into visiting a seemingly innocent page, and gain access to unpublished content on a site. Versions affected * FAQ Ask module for Drupal 6.x prior to 6.x-2.0 (including 6.x-1.x) * FAQ Ask module for Drupal 5.x Drupal core is not affected. If you do not use the contributed FAQ Ask module, there is nothing you need to do. - - -------- Solution - - --------------------------------------------------------- Upgrade to the latest version or disable the module. * If you use FAQ Ask for Drupal 6.x upgrade to version 6.x-2.0 * If you use FAQ Ask for Drupal 5.x it is no longer supported and you should disable it or upgrade your site to 6.x so you can use FAQ Ask 6.x-2.0. - - -------- Reported by - - --------------------------------------------------------- * XSS and CSRF vulnerability reported by Dylan Wilder-Tack See also the FAQ Ask module project page. - - -------- Fixed by - - --------------------------------------------------------- * Fixed by NancyDru. - - -------- Contact - - --------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. ________________________________________________________________________________ ________________________________________________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-085 * Project: Insert Node (third-party module) * Version: 5.x * Date: 2009-October-28 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - - -------- Description - - --------------------------------------------------------- The Insert Node module provides an input filter that enables a node to be inserted within the body field of another node. The module fails to sanitize the inserted node, making it vulnerable to a cross site scripting (XSS) attack. - - -------- Versions affected - - --------------------------------------------------------- * Insert Node module versions for Drupal 5.x prior to Insert Node 5.x-1.2 Drupal core is not affected. If you do not use the contributed Insert Node module, there is nothing you need to do. - - -------- Solution - - --------------------------------------------------------- Install the latest version. * If you use the Insert Node module for Drupal 6.x there is nothing you need to do. * If you use the Insert Node module for Drupal 5.x upgrade to Insert Node 5.x-1.2 - - -------- Reported by - - --------------------------------------------------------- * Konstantin Kfer. - - -------- Fixed by - - --------------------------------------------------------- * Mark Burton and Alexis Wilke, the module maintainers. - - -------- Contact - - --------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. ________________________________________________________________________________ ________________________________________________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-089 * Project: Storm (third-party module) * Version: 6.x * Date: 2009-October-28 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Access Bypass - - -------- Description - - --------------------------------------------------------- The Storm module provides a project management application for Drupal. The module suffers a vulnerability whereby nodes of type 'storminvoiceitem' are not respecting the expected access permissions, potentially exposing the node title to unauthorized users. - - -------- Versions affected - - --------------------------------------------------------- * Versions of Storm for Drupal 6.x prior to 6.x-1.25 Versions of Storm for Drupal 5.x and 7.x are not affected. Drupal core is not affected. If you do not use the 6.x version of the contributed Storm module, there is nothing you need to do. - - -------- Solution - - --------------------------------------------------------- Install the latest version: * If you use Storm for Drupal 6.x upgrade to Storm 6.x-1.25 Also see the Storm project page. - - -------- Reported by - - --------------------------------------------------------- * Fabio Fabbri - - -------- Fixed by - - --------------------------------------------------------- * Magnity, the module maintainer - - -------- Contact - - --------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. ________________________________________________________________________________ ________________________________________________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2009-086 * Project: OpenSocial Shindig-Integrator (third-party module) * Version: 6.x, 5.x * Date: 2009-October-86 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - - -------- Description - - --------------------------------------------------------- The OpenSocial Shindig-Integrator module enables sites to host OpenSocial widgets. The module fails to sanitize user input, making it vulnerable to cross site scripting (XSS) attacks. This vulnerability is somewhat limited by the fact that an attacker would need an account with the permissions to "create application" on the site. - - -------- Versions affected - - --------------------------------------------------------- * OpenSocial Shindig-Integrator module for Drupal 6.x prior to OpenSocial Shindig-Integrator 6.x-2.1 * OpenSocial Shindig-Integrator module for Drupal 5.x Drupal core is not affected. If you do not use the contributed OpenSocial Shindig-Integrator module, there is nothing you need to do. - - -------- Solution - - --------------------------------------------------------- Install the latest version or disable the module. * If you use the OpenSocial Shindig-Integrator module for Drupal 6.x upgrade to OpenSocial Shindig-Integrator 6.x-2.1 * If you use the OpenSocial Shindig-Integrator module for Drupal 5.x, disable the module and un-install it. The 5.x branch is no longer supported. - - -------- Reported by - - --------------------------------------------------------- * Tony Mobily - - -------- Fixed by - - --------------------------------------------------------- * Astha Bhatnagar, module maintainer. - - -------- Contact - - --------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================