=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN392
_____________________________________________________________________

DATE                      : 30/09/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Domain access for DRUPAL,
                             Imagemenu for DRUPAL.

======================================================================
http://drupal.org/node/919916
http://drupal.org/node/926734
______________________________________________________________________
	
 * Advisory ID: DRUPAL-SA-CONTRIB-2010-096
  * Project: Domain access (third-party module)
  * Version: 5.x, 6.x, 7.x
  * Date: 2010-September-22
  * Security risk: Less critical
  * Exploitable from: Remote
  * Vulnerability: Cross-Site Scripting, Priviledge Escalation

- -------- DESCRIPTION ---------------------------------------------------------

The Domain Access module suite allows users to maintain content shared across
multiple domains running from a single Drupal installation. In several
instances, the module does not sanitize the user-supplied domain name before
displaying it, leading to a Cross-Site Scripting (XSS [1]) vulnerability that
may lead to a malicious user gaining full administrative access. This
vulnerability is mitigated by the fact that user must have the "administer
domains" permission in order to create and edit domain names. The Domain
Configuration sub-module allows certain site information settings to be
configured per domain. Users with the "administer domains" permission could
change these settings, even if they lacked the permission to edit the
settings on the primary domain.

- -------- VERSIONS AFFECTED ---------------------------------------------------

  * Domain access module for Drupal 5.x versions prior to 5.x-1.15
  * Domain access module for Drupal 6.x versions prior to 6.x.2.6
  * Domain access module for Drupal 7.x versions prior to 7.x.2.4

Drupal core is not affected. If you do not use the contributed Domain access
[2] module, there is nothing you need to do.

- -------- SOLUTION ------------------------------------------------------------

Install the latest version:
  * If you use the Domain access module for Drupal 5.x upgrade to Domain
    access 5.x-1.15 [3]
  * If you use the Domain access module for Drupal 6.x upgrade to Domain
    access 6.x.2.6 [4]
  * If you use the Domain access module for Drupal 7.x upgrade to Domain
    access 7.x.2.4 [5]

See also the Domain access project page [6].

- -------- REPORTED BY ---------------------------------------------------------

  * Sam Oldak [7] (Cross-Site Scripting)
  * brt [8] (Privilege escalation)
  * Nirbhasa Magee [9] (Privilege escalation)

- -------- FIXED BY ------------------------------------------------------------

  * Sam Oldak [10]
  * Ken Rickard [11], the module maintainer

- -------- CONTACT
- -------------------------------------------------------------

The Drupal security team [12] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/domain
[3] http://drupal.org/node/919890
[4] http://drupal.org/node/919896
[5] http://drupal.org/node/919900
[6] http://drupal.org/project/domain
[7] http://drupal.org/user/366337
[8] http://drupal.org/user/26752
[9] http://drupal.org/user/151770
[10] http://drupal.org/user/366337
[11] http://drupal.org/user/20975
[12] http://drupal.org/security-team
____________________________________________________________________________
_______________________________________________

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-097
  * Project: Imagemenu (third-party module)
  * Version: 5.x, 6.x
  * Date: 2010-September-29
  * Security risk: Less critical
  * Exploitable from: Remote
  * Vulnerability: Cross-Site Scripting, Cross-site Request Forgery

- -------- DESCRIPTION ---------------------------------------------------------

The Imagemenu module allows users to create and maintain image based menus.

The Drupal 5 branch of this module contains a Cross Site Request Forgery
(CSRF [1]) vulnerability which could allow a malicious user to trick an
administrator into unintentionally enabling or disabling menu items provided
by this module.

The Drupal 6 branch of this module does not properly sanitize some
user-supplied menu and menu item properties, leading to Cross-Site Scripting
(XSS [2]) vulnerabilities. The risk is mitigated by the fact that the
"administer imagemenu" permission is required in order to exploit this
vulnerability.

- -------- VERSIONS AFFECTED ---------------------------------------------------

  * Imagemenu for Drupal 6 prior to 6.x-1.3
  * Imagemenu for Drupal 5 prior to 5.x-1.2

Drupal core is not affected. If you do not use the contributed Imagemenu [3]
module, there is nothing you need to do.

- -------- SOLUTION ------------------------------------------------------------

Install the latest version:

  * If you use the Imagemenu module for Drupal 6.x upgrade to Imagemenu
    6.x-1.3 [4]
  * If you use the Imagemenu module for Drupal 5.x upgrade to Imagemenu
    5.x-1.2 [5]

See also the Imagemenu [6] project page.

- -------- REPORTED BY ---------------------------------------------------------

  * The XSS vulnerability on menu titles was reported by Joachim Noreiko
    (joachim [7])
  * The XSS vulnerability on menu item description and the CSRF vulnerability
    were reported by Ivo Van Geertruyen (mr.baileys [8]) of the Drupal
    security team [9]

- -------- FIXED BY ------------------------------------------------------------

  * Paul Maddern (pobster [10]), module maintainer
  * Ivo Van Geertruyen (mr.baileys [11]) of the Drupal security team [12]

- -------- CONTACT -------------------------------------------------------------

The Drupal security team [13] can be reached at security at drupal.org or via
the form at http://drupal.org/contact [14].

[1] http://en.wikipedia.org/wiki/Cross-site_request_forgery
[2] http://en.wikipedia.org/wiki/Cross-site_scripting
[3] http://drupal.org/project/imagemenu
[4] http://drupal.org/node/925726
[5] http://drupal.org/node/925730
[6] http://drupal.org/project/imagemenu
[7] http://drupal.org/user/107701
[8] http://drupal.org/user/383424
[9] http://drupal.org/security-team
[10] http://drupal.org/user/25159
[11] http://drupal.org/user/383424
[12] http://drupal.org/security-team
[13] http://drupal.org/security-team
[14] http://drupal.org/contact

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================