=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN029
_____________________________________________________________________

DATE                      : 14/01/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Bibliography Module for DRUPAL,
                             Own Term for DRUPAL, Node Block for DRUPAL.

======================================================================
http://drupal.org/node/683786
http://drupal.org/node/683576
http://drupal.org/node/683598
______________________________________________________________________


SA-CONTRIB-2010-006 - Bibliography Module - Cross Site Scripting
Security advisories for contributed projects · Drupal 5.x · Drupal 6.x
Drupal Security Team - January 13, 2010 - 20:46

    * Advisory ID: DRUPAL-SA-CONTRIB-2010-006
    * Project: Bibliography (third-party module)
    * Version: 5.x, 6.x
    * Date: 2010-January-13
    * Security risk: Moderately Critical
    * Exploitable from: Remote
    * Vulnerability: Cross Site Scripting

Description

The Bibliography module enables users to manage and display lists of
scholarly publications. The module does not sanitize some of the
user-supplied data before displaying it, leading to a Cross Site Scripting
(XSS) vulnerability. Only users with the 'administer biblio' permission are
able to exploit this vulnerability.
Versions affected

    * Bibliography module 5.x-1.17 and prior versions
    * Bibliography module 6.x-1.9 and prior versions

Drupal core is not affected. If you do not use the contributed Bibliography module,
there is nothing you need to do.


Solution

Install the latest version:

    * If you use Bibliography for Drupal 5.x upgrade to Bibliography 5.x-1.18
    * If you use Bibliography for Drupal 6.x upgrade to Bibliography 6.x-1.10

See also the Bibliography project page.

Reported by

    * grendzy of the Drupal Security Team.

Fixed by

Ron Jerome, the Bibliography project maintainer.

Contact

The security team for Drupal can be reached at security at
drupal.org or via the form at http://drupal.org/contact.

__________________________________________________________________________

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-005
  * Project: Own Term (third-party module)
  * Version: 6.x-1.0
  * Date: 2010-January-13
  * Security risk: Moderately critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

- -------- DESCRIPTION
- ---------------------------------------------------------

The Own Term module allows users to create taxonomy terms in a designated
vocabulary and when creating content this term is automatically added to the
node. The module does not sanitize the term description on a term listing
page which opens a cross-site scripting (XSS [1]) attack. Users with a role
containing the permission 'create additional terms' can exploit this
vulnerability.
- -------- VERSIONS AFFECTED
- ---------------------------------------------------

  * Own Term module 6.x-1.0

Drupal core is not affected. If you do not use the contributed Own Term
module, there is nothing you need to do.
- -------- SOLUTION
- ------------------------------------------------------------

Install the latest version:
  * If you use the Own Term module for Drupal 6.x upgrade to Own Term 6.x-1.1
    [2]

See also the Own Term project page [3].
- -------- REPORTED BY
- ---------------------------------------------------------

Benjamin Jeavons [4], Own Term module comaintainer.
- -------- FIXED BY
- ------------------------------------------------------------

Benjamin Jeavons [5], Own Term module comaintainer.
- -------- CONTACT
- -------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/683544
[3] http://drupal.org/project/ownterm
[4] http://drupal.org/user/91990
[5] http://drupal.org/user/91990
________________________________________________________________________


  * Advisory ID: DRUPAL-SA-CONTRIB-2010-004
  * Project: Node Block (third-party module)
  * Version: 6.13, 5.11
  * Date: 2010-January-13
  * Security risk: Moderately critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

- -------- DESCRIPTION
- ---------------------------------------------------------

This module allows you to specify content type(s) as being a block. This
allows the content managers of the site to edit the block text and title
without having to access the block administration page. Users only need edit
access to that node in order to edit it. Users with administer block access
will see region and weight options on the node form. The Node Block module
creates a block from specified content type(s). Node block doesn't properly
escape titles allowing users with permissions to create/edit the specified
content type(s) to inject arbitrary code into the site. Such a cross site
scripting (XSS) attack may lead to a malicious user gaining full
administrative access.
- -------- VERSIONS AFFECTED
- ---------------------------------------------------

  * Node Blocks module 5.x-1.1 and prior versions
  * Node Blocks module 6.x-1.3 and prior versions

Drupal core is not affected. If you do not use the contributed Feed Block
module, there is nothing you need to do.
- -------- SOLUTION
- ------------------------------------------------------------

Install the latest version:
  * If you use the Node Blocks module for Drupal 5.x upgrade to Node Blocks
    5.x-1.2 [1]
  * If you use the Node Blocks module for Drupal 6.x upgrade to Node Blocks
    6.x-1.4 [2]

See also the Node Block project page [3].
- -------- REPORTED BY
- ---------------------------------------------------------

Martin Barbella [4] and Khalid Baheyeldin [5]
- -------- FIXED BY
- ------------------------------------------------------------

Thomas Turnbull [6].
- -------- CONTACT
- -------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://drupal.org/node/683586
[2] http://drupal.org/node/683584
[3] http://drupal.org/project/nodeblock
[4] http://drupal.org/user/633600
[5] http://drupal.org/user/4063
[6] http://drupal.org/user/125573

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================