===================================================================== CERT-Renater Note d'Information No. 2012/VULN104 _____________________________________________________________________ DATE : 08/03/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running Webform for DRUPAL, Node Recommendation for DRUPAL, Read More Link for DRUPAL, Block Class for DRUPAL, Multisite Search for DRUPAL, UC PayDutchGroup / WeDeal payment for DRUPAL. ====================================================================== http://drupal.org/node/1472214 http://drupal.org/node/1471940 http://drupal.org/node/1471822 http://drupal.org/node/1471808 http://drupal.org/node/1471800 _______________________________________________________________________ SA-CONTRIB-2012-035 - Webform Cross Site Scripting (XSS) Posted by Drupal Security Team on March 7, 2012 at 8:12pm * Advisory ID: DRUPAL-SA-CONTRIB-2012-035 * Project: Webform (third-party module) * Version: 6.x, 7.x * Date: 2012-March-07 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting Description The Webform module allows content creators to assemble a survey for end-users. The module doesn't sufficiently filter user supplied text when displaying radio buttons or checkboxes when used in combination with the Select or Other... module. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "create webform content" and the Select or Other... module must be installed on the site. Versions affected * Webform 6.x-3.x versions prior to 6.x-3.17. * Webform 7.x-3.x versions prior to 7.x-3.17. Drupal core is not affected. If you do not use the contributed Webform module, there is nothing you need to do. Solution Install the latest version: * If you use the Webform module for Drupal 6.x, upgrade to Webform 6.x-3.17 * If you use the Webform module for Drupal 7.x, upgrade to Webform 7.x-3.17 If you do not use Select or Other... module, no action is necessary. See also the Webform project page. Reported by * Kyle Small Fixed by * Nate Haug the module maintainer Coordinated by * Greg Knaddison of the Drupal Security Team * John Morahan of the Drupal Security Team Contact and More Information The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. Edited to fix a typo in the versions of Webform affected. Categories: Drupal 6.x, Drupal 7.x ______________________________________________________________________ SA-CONTRIB-2012-034 - Node Recommendation Cross Site Scripting (XSS) Posted by Drupal Security Team on March 7, 2012 at 4:50pm * Advisory ID: DRUPAL-SA-CONTRIB-2012-034 * Project: Node Recommendation (third-party module) * Version: 6.x * Date: 2012-March-7 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting Description This module shows users other nodes that they might be interested in based on a simple logic and using taxonomy. The aim of this module is to provide sensible defaults and an easy configuration for less-technical users and to allow it to be manually overriden. The module doesn't sufficiently filter user supplied text. The vulnerability is mitigated by the fact that an attacker would need permission to create taxonomy terms or edit node titles to exploit the issue. Versions affected * Node recommendation 6.x-1.x versions prior to 6.x-1.1. Drupal core is not affected. If you do not use the contributed Node Recommendation module, there is nothing you need to do. Solution Install the latest version: * If you use the Node recommendation module for Drupal 6.x, upgrade to Node recommendation 6.x-1.1 See also the Node Recommendation project page. Reported by * Dylan Tack of the Drupal Security Team Fixed by * Ariel Barreiro the module maintainer Coordinated by * Greg Knaddison of the Drupal Security Team * Michael Hess of the Drupal Security Team Contact and More Information The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. Categories: Drupal 6.x ______________________________________________________________________ SA-CONTRIB-2012-033 - Read More Link - Cross Site Scripting Posted by Drupal Security Team on March 7, 2012 at 3:34pm * Advisory ID: DRUPAL-SA-CONTRIB-2012-033 * Project: Read More Link (third-party module) * Version: 6.x * Date: 2012-March-07 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting Description The Read More Link module allows you to move the "Read more" link from the node's links area to the end of the teaser text. A user could inject java script into pages affecting other site users. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access administration pages." Versions affected * Read More Link 6.x-3.x versions prior to and including 6.x-3.0. Drupal core is not affected. If you do not use the contributed Read More Link (Drupal 6 and earlier) module, there is nothing you need to do. Solution Install the latest version: * If you use the Read More Link module for Drupal 6.x, upgrade to version 6.x-3.1 or 6.x-5.0 See also the Read More Link project page. Reported by * Kyle Small Fixed by * Stéphane Corlosquet * Todd Nienkerk Coordinated by * Michael Hess of the Drupal Security Team Contact and More Information The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. Categories: Drupal 6.x ______________________________________________________________________ SA-CONTRIB-2012-032 - Block Class - Cross Site scripting Posted by Drupal Security Team on March 7, 2012 at 3:27pm * Advisory ID: DRUPAL-SA-CONTRIB-2012-032 * Project: Block Class (third-party module) * Version: 7.x * Date: 2012-March-07 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting Description The block class module allows users to add classes to any block through the block's configuration interface The class names in a block were not properly filtered. Someone with the ability to modify or create blocks could inject java script that would be rendered when viewing the block. Versions affected * Blockclass versions prior to 7.x-1.0. Drupal core is not affected. If you do not use the contributed Block Class module, there is nothing you need to do. Solution Install the latest version: * If you use the block class module for Drupal 7.x, upgrade to block class 7.x-1.1 See also the Block Class project page. Reported by * Katherine Senzee Fixed by * Berend de Boer the module maintainer Coordinated by * Michael Hess of the Drupal Security Team Contact and More Information The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. Categories: Drupal 7.x ______________________________________________________________________ SA-CONTRIB-2012-031 - Multiple Modules Unsupported - UC PayDutchGroup - Information leakage and Multisite Search sql injection Posted by Drupal Security Team on March 7, 2012 at 3:20pm * Advisory ID: DRUPAL-SA-CONTRIB-2012-031 * Projects: UC PayDutchGroup / WeDeal payment, Multisite Search (third-party modules) * Version: 6.x * Date: 2012-March-7 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Information Disclosure Description UC PayDutchGroup / WeDeal payment integrates the PayDutchGroup / WeDeal payment gateway with Ubercart. The module exposes account credentials for the store's PayDutchGroup account under certain circumstances allowing a malicious user to login to the PayDutchGroup site as the store owner and manage the store owner's account. The vulnerability is mitigated by an attacker needing to gain an account with the ability to checkout of the store. Multisite Search allows you to index and search content from all sites in a Multisite configuration. The module doesn't sufficiently escape user input when constructing queries. The vulnerability is mitigated by the fact that in order to execute arbitrary sql injection malicious users must have the ability to administer multisite search. Versions affected All versions of UC PayDutchGroup / WeDeal payment are affected by vulnerabilities. All versions of Multisite Search payment are affected by vulnerabilities. Drupal core is not affected. If you do not use one of the contributed modules listed above, there is nothing you need to do. Solution Users of thes modules are encouraged to disable the modules and search for similar alternatives. Users of the module who wish to take over maintainership should post patches to the issue queue to fix the security issues and request maintenance following the Unsupported project process Reported by * UC PayDutchGroup / WeDeal payment issue reported by Rolf Meijer * Multisite Search issue reported by Justin Klein Keane Fixed by No fixes created. Contact and More Information The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. Categories: Drupal 6.x ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================