===================================================================== CERT-Renater Note d'Information No. 2010/VULN301 _____________________________________________________________________ DATE : 12/08/2010 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Privatemsg for DRUPAL, FileField Sources for DRUPAL, Printer, e-mail and PDF versions for DRUPAL, Ubercart for DRUPAL, OpenID for DRUPAL, Pathauto for DRUPAL, Prepopulate for DRUPAL, GovDelivery Integration for DRUPAL, Content Construction Kit for DRUPAL. ====================================================================== http://drupal.org/node/880008 http://drupal.org/node/880386 http://drupal.org/node/880392 http://drupal.org/node/880396 http://drupal.org/node/880480 http://drupal.org/node/880522 http://drupal.org/node/880696 http://drupal.org/node/880698 http://drupal.org/node/880736 ______________________________________________________________________ - --------------------------BEGIN INCLUDED TEXT-------------------- * Advisory ID: DRUPAL-SA-CONTRIB-2010-080 * Project: Privatemsg (third-party module) * Version: 6.x * Date: 2010-August-11 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross-Site Scripting - -------- DESCRIPTION --------------------------------------------------------- The Privatemsg module allows to send private messages between users. The module does not properly escape user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability. Any user with permission to write private messages is vulnerable to attack. - -------- VERSIONS AFFECTED --------------------------------------------------- * Privatemsg module for Drupal 6.x versions prior to 6.x-1.3 Drupal core is not affected. If you do not use the contributed Privatemsg [2] module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Privatemsg module for Drupal 6.x upgrade to Privatemsg 6.x-1.3 [3] See also the Privatemsg project page [4]. - -------- REPORTED BY --------------------------------------------------------- * Ben Durbin (bdurbin) [5] - -------- FIXED BY ------------------------------------------------------------ * Ben Durbin (bdurbin) [6] * Sascha Grossenbacher (Berdir) [7], module maintainer - -------- CONTACT ------------------------------------------------------------- The Drupal security team [8] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/privatemsg [3] http://drupal.org/node/880036 [4] http://drupal.org/project/privatemsg [5] http://drupal.org/user/165644 [6] http://drupal.org/user/165644 [7] http://drupal.org/user/214652 [8] http://drupal.org/security-team _________________________________________________________________________________ _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2010-081 * Project: FileField Sources (third-party module) * Version: 6.x * Date: 2010-May-19 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Arbitrary Code Execution - -------- DESCRIPTION --------------------------------------------------------- The FileField Sources module expands on the abilities of FileField, allowing users to select new or existing files through additional means, including: Reuse of existing files through an autocomplete textfield or IMCE, or transfering files directly from remote servers. The module does not sanitize the file extemsions of files that have been transfered from remote servers, allowing for the transfering of files that match allowed extensions but actually contain malicious code. This could potentially allow an attacker to transfer scripts to the server and execute them. This vulerability is usually mitigated by Drupal core's built-in security mechanisms which prevent code execution of uploads that are within the Drupal files directory. This exploit should not affect the majority of Drupal sites. Users would also need the ability to use the FileField Sources module which requires permission to create or edit a node that has a FileField with FileField Sources configured for it. - -------- VERSIONS AFFECTED --------------------------------------------------- * FileField Sources module for Drupal 6.x versions prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed FileField Sources [1] module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the FileField Sources module for Drupal 6.x upgrade to FileField Sources 6.x-1.2 [2] See also the FileField Sources project page [3]. - -------- REPORTED BY --------------------------------------------------------- * Apa Sajja - -------- FIXED BY ------------------------------------------------------------ * Nathan Haug [4], module maintainer * Greg Knaddison [5] of the Drupal security team - -------- CONTACT ------------------------------------------------------------- The Drupal security team [6] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/filefield_sources [2] http://drupal.org/node/880248 [3] http://drupal.org/project/filefield_sources [4] http://drupal.org/user/35821 [5] http://drupal.org/user/36762 [6] http://drupal.org/security-team _______________________________________________________________________________ _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2010-082 * Project: Printer, e-mail and PDF versions (third-party module) * Version: 5.x, 6.x * Date: 2010-August-11 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Local file read access - -------- DESCRIPTION --------------------------------------------------------- The Printer, e-mail and PDF versions ("print") module provides printer-friendly versions of content, including a PDF version that is generated by one of three supported generation tools (dompdf, TCPDF and wkhtmltopdf). When using the wkhtmltopdf PDF generation tool, that tool is able to access local files in the Drupal server environment. Users with the ability to create unfiltered HTML in the node content could trick the tool to access any file accessible by the Web server user and to display its contents inside the generated PDF. Sites should not grant the ability to post unfiltered HTML to untrusted roles. - -------- VERSIONS AFFECTED --------------------------------------------------- * Printer, e-mail and PDF versions 6.x prior to 6.x-1.11 * Printer, e-mail and PDF versions 5.x prior to 5.x-4.10 Drupal core is not affected. If you do not use the contributed Printer, e-mail and PDF versions module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Printer, e-mail and PDF versions for Drupal 6.x upgrade to Printer, e-mail and PDF versions 6.x-1.11 [1] * If you use Printer, e-mail and PDF versions for Drupal 5.x upgrade to Printer, e-mail and PDF versions 5.x-4.10 [2] If you use the wkhtmltopdf PDF generation tool, and it's version is older than 0.9.6, please upgrade [3] to a more recent version, as the module now supports only versions 0.9.6 or higher. See also the Printer, e-mail and PDF versions project page [4]. - -------- REPORTED BY --------------------------------------------------------- * Douglas Bagnall [5] - -------- FIXED BY ------------------------------------------------------------ * João Ventura [6], module maintainer * James Gilliland [7], module maintainer - -------- CONTACT ------------------------------------------------------------- The Drupal security team [8] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/880280 [2] http://drupal.org/node/880276 [3] http://code.google.com/p/wkhtmltopdf [4] http://drupal.org/project/print [5] http://drupal.org/user/758786 [6] http://drupal.org/user/122464 [7] http://drupal.org/user/48673 [8] http://drupal.org/security-team ____________________________________________________________________ _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2010-083 * Project: UC2Checkout, UCPaypal, UC Cart LInks (third-party modules in the Ubercart Project) * Version: 5.x, 6.x * Date: 2010-Aug-11 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Access Bypass, Cross Site Request Forgery - -------- DESCRIPTION --------------------------------------------------------- The Ubercart module for Drupal provides e-commerce features. Several modules within Ubercart were vulnerable to various security issues. 1) The 2Checkout gateway module did not properly verify the payment notification information. A malicious user could use a specially crafted HTTP request to simulate payment and order completion on arbitrary orders. If the 2Checkout gateway module is not installed then your site is not at risk to this vulnerability. 2) The Paypal module's WPS payment method did not properly verify the payment notification information. A malicious user could alter HTML form data to send payment to a different Paypal account and still check out on the site. If you do not use the Paypal WPS payment method then your site is not at risk to this vulnerability. 3) The Ubercart Cart Links module is vulnerable to both an Access Bypass and Cross Site Request Forgery where a malicious user could both trick other users into adding or removing items from their cart and add items to a cart which are not published on the site. If you do not use Ubercart Cart Links module your site is not at risk to this vulnerability. - -------- VERSIONS AFFECTED --------------------------------------------------- * Ubercart module for Drupal 5.x versions prior to 5.x-1.10 * Ubercart module for Drupal 6.x versions prior to 6.x-2.4 Drupal core is not affected. If you do not use the contributed Ubercart [1] module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Ubercart module for Drupal 5.x upgrade to Ubercart 5.x-1.10 [2] * If you use the Ubercart module for Drupal 6.x upgrade to Ubercart 6.x-2.4 [3] See also the Ubercart project page [4]. - -------- REPORTED BY --------------------------------------------------------- * Greg Knaddison [5] of the Drupal Security Team * Guy Paddock [6] * Nathan Phillip Brink [7] - -------- FIXED BY ------------------------------------------------------------ * Lyle Mantooth [8], the module maintainer * Greg Knaddison [9] of the Drupal Security Team - -------- CONTACT ------------------------------------------------------------- The Drupal security team [10] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/ubercart [2] http://drupal.org/node/880378 [3] http://drupal.org/node/880390 [4] http://drupal.org/project/ubercart [5] http://drupal.org/user/UID [6] http://drupal.org/user/156932 [7] http://drupal.org/user/829476 [8] http://drupal.org/user/86683 [9] http://drupal.org/user/UID [10] http://drupal.org/security-team _________________________________________________________________________ _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2010-084 * Project: OpenID (third-party module) * Version: 5.x * Date: 2010-Aug-11 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Authentication bypass - -------- DESCRIPTION --------------------------------------------------------- The OpenID module provides users the ability to login to sites using an OpenID account. The OpenID module doesn't implement the all required verifications from the OpenID 2.0 protocol and is vulnerable to a number of attacks. Specifically: - OpenID should verify that a "openid.response_nonce" has not already been used for an assertion by the OpenID provider - OpenID should verify the value of openid.return_to as obtained from the OpenID provider - OpenID must verify that all fields that are required to be signed are signed These specification violations allow malicious sites to harvest positive assertions from OpenID providers and use them on sites using the OpenID module to obtain access to preexisting accounts bound to the harvested OpenIDs. Intercepted assertions from OpenID providers can also be replayed and used to obtain access to user accounts bound to the intercepted OpenIDs. - -------- VERSIONS AFFECTED --------------------------------------------------- * OpenID module for Drupal 5.x versions prior to 5.x-1.4 This issue affects the OpenID module for Drupal 5.x only. A separate security announcement [1] and release is published for the OpenID core module in Drupal 6.x. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the OpenID module for Drupal 5.x upgrade to OpenID 5.x-1.4 [2] See also the OpenID project page [3]. - -------- REPORTED BY --------------------------------------------------------- * Johnny Bufu [4] * Christian Schmidt [5] * Heine Deelstra [6] of the Drupal security team - -------- FIXED BY ------------------------------------------------------------ * Christian Schmidt [7] * Heine Deelstra [8] of the Drupal security team * Damien Tournoud [9] of the Drupal security team - -------- CONTACT ------------------------------------------------------------- The Drupal security team [10] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/880476 [2] http://drupal.org/node/880496 [3] http://drupal.org/project/openid [4] http://drupal.org/user/226462 [5] http://drupal.org/user/216078 [6] http://drupal.org/user/17943 [7] http://drupal.org/user/216078 [8] http://drupal.org/user/17943 [9] http://drupal.org/user/22211 [10] http://drupal.org/security-team ___________________________________________________________________________ _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2010-085 * Project: Pathauto (third-party module) * Version: 5.x, 6.x * Date: 2010-August-11 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting - -------- DESCRIPTION --------------------------------------------------------- The Pathauto module automatically generates path aliases for various kinds of content (nodes, categories, users) without requiring the user to manually specify the path alias. It also provides additional tokens that can be used in URL alias patterns and anywhere else that the Token API [1] is used. The module does not sanitize the text in the [bookpathalias], [catalias], and [termalias] tokens. Under rare circumstances those tokens could cause a Cross Site Scripting (XSS [2]) vulnerability that may lead to a malicious user gaining full administrative access. This vulnerability is mitigated by the fact that a malicious user must have "create url aliases" permission and then one of those tokens must be used to display output on an HTML page (for instance, displaying a message to the user using an action from the token_actions.module). The normal circumstance of using these tokens as part of a Pathauto URL alias pattern is not vulnerable. - -------- VERSIONS AFFECTED --------------------------------------------------- * Pathauto module for Drupal 5.x versions prior to 5.x-2.4 * Pathauto module for Drupal 6.x versions prior to 6.x-1.4 Drupal core is not affected. If you do not use the contributed Pathauto [3] module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Pathauto module for Drupal 5.x upgrade to Pathauto 5.x-2.4 [4] * If you use the Pathauto module for Drupal 6.x upgrade to Pathauto 6.x-1.4 [5] See also the Pathauto project page [6]. - -------- SAFE USE OF TOKENS -------------------------------------------------- The existing [bookpathalias], [termalias], and [catalias] tokens are now sanitized. New [bookpathalias-raw], [termalias-raw], and [catalias-raw] companion tokens have been added for the un-sanitized versions of each token respectfully. This is also a reminder to modules that use the Token API [7] to display output on an HTML page (such as displaying a message to the user), that no tokens with the -raw suffix should be used. - -------- REPORTED BY --------------------------------------------------------- * Dave Reid [8] of the Drupal security team and module co-maintainer - -------- FIXED BY ------------------------------------------------------------ * Dave Reid [9] of the Drupal security team and module co-maintainer - -------- CONTACT ------------------------------------------------------------- The Drupal security team [10] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/token [2] http://en.wikipedia.org/wiki/Cross-site_scripting [3] http://drupal.org/project/pathauto [4] http://drupal.org/node/880462 [5] http://drupal.org/node/880464 [6] http://drupal.org/project/pathauto [7] http://drupal.org/project/token [8] http://drupal.org/user/53892 [9] http://drupal.org/user/53892 [10] http://drupal.org/security-team ______________________________________________________________________________ _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2010-086 * Project: Prepopulate (third-party module) * Version: 5.x and 6.x * Date: 2010-Aug-11 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Access Bypass - -------- DESCRIPTION --------------------------------------------------------- The Prepopulate module provides the ability for form fields to be pre-populated via the request sent for the form. The module is vulnerable to access bypass which would allow a malicious user to change the value of fields they would not otherwise have access to alter. - -------- VERSIONS AFFECTED --------------------------------------------------- * Prepopulate module for Drupal 6.x versions prior to 6.x-2.0 [1] * Prepopulate module for Drupal 5.x versons prior to 5.x-1.5 [2] Drupal core is not affected. If you do not use the contributed Prepopulate [3] module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Prepopulate module for Drupal 6.x upgrade to Prepopulate 6.x-2.0 [4] * If you use the Prepopulate module for Drupal 5.x upgrade to Prepopulate 5.x-1.5 [5] See also the Prepopulate project page [6]. - -------- REPORTED BY --------------------------------------------------------- * Aren Cambre [7] - -------- FIXED BY ------------------------------------------------------------ * Joshua Brauer (jbrauer [8]) the module maintainer - -------- CONTACT ------------------------------------------------------------- The Drupal security team [9] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/880652 [2] http://drupal.org/node/880656 [3] http://drupal.org/project/prepopulate [4] http://drupal.org/node/880652 [5] http://drupal.org/node/880656 [6] http://drupal.org/project/prepopulate [7] http://drupal.org/user/97356 [8] http://drupal.org/user/253145 [9] http://drupal.org/security-team ______________________________________________________________________________ _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2010-087 * Project: GovDelivery Integration (third-party module) * Version: 6.x * Date: 2010-Aug-11 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross site scripting - -------- DESCRIPTION --------------------------------------------------------- The GovDelivery module provides integration with the GovDelivery On-Demand Mailer service, a web service for GovDelivery customers that sends messages directly based on configured account information. The module replaces the backend of SMTP library in your Drupal site with calls to the GovDelivery service, so all mail sent from your site uses the ODM service. The module does not sanitize some of the user-supplied data before displaying it (for Drupal 6.x-1.0 only), leading to a Cross Site Scripting (XSS) vulnerability that may lead to a malicious user gaining full administrative access. - -------- VERSIONS AFFECTED --------------------------------------------------- * GovDelivery module for Drupal 6.x versions prior to 6.x-1.1 Drupal core is not affected. If you do not use the contributed GovDelivery Integration [1] module, there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the GovDelivery module for Drupal 6.x upgrade to GovDelivery 6.x-1.1 [2] See also the GovDelivery Integration project page [3]. - -------- REPORTED BY --------------------------------------------------------- * ben.bunk [4], module co-maintainer - -------- FIXED BY ------------------------------------------------------------ * ben.bunk [5], module co-maintainer - -------- CONTACT ------------------------------------------------------------- The Drupal security team [6] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/govdelivery [2] http://drupal.org/node/880684 [3] http://drupal.org/project/govdelivery [4] http://drupal.org/user/764808 [5] http://drupal.org/user/764808 [6] http://drupal.org/security-team _______________________________________________________________________________ _______________________________________________ * Advisory ID: DRUPAL-SA-CONTRIB-2010-088 * Project: Content Construction Kit (CCK) (third-party module) * Version: 6.x * Date: 2010-August-11 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Access Bypass - -------- DESCRIPTION --------------------------------------------------------- The Content Construction Kit (CCK) project is a set of modules that allows you to add custom fields to nodes using a web browser. The CCK "Node Reference" module provides a backend URL that is used for asynchronous requests by the "autocomplete" widget to locate nodes the user can reference. In some cases, this was not correctly checking that the user had field level access to the source field, allowing direct queries to the backend URL to return node titles and IDs which the user would otherwise be unable to access. Note that as Drupal 5 CCK does not have any field access control functionality, this issue only applies to the Drupal 6 version. This advisory is a follow-up related to advisory SA-CONTRIB-2010-065 [1]. - -------- VERSIONS AFFECTED --------------------------------------------------- * Content Construction Kit (CCK) module for Drupal 6.x versions prior to 6.x-2.8 Drupal core is not affected. If you do not use the contributed Content Construction Kit (CCK) [2] module, together with any node or field access module there is nothing you need to do. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Content Construction Kit (CCK) module for Drupal 6.x upgrade to Content Construction Kit (CCK) 6.x-2.8 [3] See also the Content Construction Kit (CCK) project page [4]. - -------- REPORTED BY --------------------------------------------------------- * Alexis Wilke [5] - -------- FIXED BY ------------------------------------------------------------ * Marc Ferran (markus_petrux) [6], module co-maintainer * Peter Wolanin (pwolanin) [7], of the Drupal security team - -------- CONTACT ------------------------------------------------------------- The Drupal security team [8] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/829566 [2] http://drupal.org/project/cck [3] http://drupal.org/node/880732 [4] http://drupal.org/project/cck [5] http://drupal.org/user/356197 [6] http://drupal.org/user/39593 [7] http://drupal.org/user/49851 [8] http://drupal.org/security-team _______________________________________________ ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================