=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN064
_____________________________________________________________________

DATE                      : 19/02/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running iTweak Upload for DRUPAL,
                             Content Distribution for DRUPAL.

======================================================================
http://drupal.org/node/717214
http://drupal.org/node/717556
______________________________________________________________________

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-017
  * Project: iTweak Upload (third-party module)
  * Version: 6.x
  * Date: 2010 February 17
  * Security risk: Less critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

- -------- DESCRIPTION
- ---------------------------------------------------------

iTweak Upload does not escape file names when displaying uploaded files. This
allows a malicious user with the permission to create content and upload
files to perform a Cross Site Scripting [1] (XSS) attack.
- -------- VERSIONS AFFECTED
- ---------------------------------------------------

  * iTweak Upload 6.x-2.x prior to 6.x-2.3
  * iTweak Upload 6.x-1.x prior to 6.x-1.2

Drupal core is not affected. If you do not use the contributed iTweak Upload
module, there is nothing you need to do.
- -------- SOLUTION
- ------------------------------------------------------------

Install the latest version:
  * If you use iTweak Upload 6.x-1.x, upgrade to iTweak Upload 6.x-1.2 [2]
  * If you use iTweak Upload 6.x-2.x, upgrade to iTweak Upload 6.x-2.3 [3]

See also the iTweak Upload project page [4].
- -------- REPORTED BY
- ---------------------------------------------------------

  * Mark Piper

- -------- FIXED BY
- ------------------------------------------------------------

  * Ilya Ivanchenko [5], the iTweak Upload module maintainer.

- -------- CONTACT
- -------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross_Site_Scripting
[2] http://drupal.org/node/711072
[3] http://drupal.org/node/711074
[4] http://drupal.org/project/itweak_upload
[5] http://drupal.org/user/87708

________________________________________________________________

_______________________________________________

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-018
  * Project: Content Distribution (third-party module)
  * Version: 6.x
  * Date: 2010 February 17
  * Security risk: Moderately Critical
  * Exploitable from: Remote
  * Vulnerability: Mulitple Vulnerabilities

- -------- DESCRIPTION
- ---------------------------------------------------------

Content Distribution module allows calling a method to delete particular
nodes using a XML-RPC call. When this method is allowed to be called by
anonymous users in user permissions, an attacker might delete a random node.
In addition, certain actions require Content Distribution to temporarily
switch users. This is being done without properly disabling session saving.
- -------- VERSIONS AFFECTED
- ---------------------------------------------------

  * Content Distribution prior to 6.x-1.3

Drupal core is not affected. If you do not use the contributed Content
Distribution module, there is nothing you need to do.
- -------- SOLUTION
- ------------------------------------------------------------

Install the latest version:
  * If you use Content Distribution for Drupal 6.x upgrade to Content
    Distribution 6.x-1.3 [1].

See also the Content Distribution project page [2].
- -------- REPORTED BY
- ---------------------------------------------------------

  * Joachim Noreiko (joachim [3]), the module co-maintainer.

- -------- FIXED BY
- ------------------------------------------------------------

  * Joachim Noreiko (joachim [4]), the module co-maintainer.

- -------- CONTACT
- -------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://drupal.org/node/716400
[2] http://drupal.org/project/content_distribution
[3] http://drupal.org/user/107701
[4] http://drupal.org/user/107701

_______________________________________________

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================