Drupal Security

• Advisory ID: DRUPAL-SA-CONTRIB-2012-018
• Project: Revisioning (third-party module)
• Version: 6.x
• Date: 2012-FEB-08
• Security risk: Less critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

Description

The Drupal Revisioning module (https://drupal.org/project/revisioning) "is a module for the configuration of workflows to create, moderate and publish content revisions."
The Revisioning module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize tags before display.

Users with the ability to create content and tags that are submitted to a review queue could include malicious JavaScript or HTML as part of their tags. Users reviewing the queue would then become victims of the XSS attack.

The risk is mitigated by the fact that the attacker must have the ability to create taxonomy terms (either "administer taxonomy" or via a freetagging vocabulary).

Versions affected

• Revisioning 6.x-3.13 and prior.

Drupal core is not affected. If you do not use the contributed Revisioning module, there is nothing you need to do.

Solution

Install the latest version:

• Upgrade to Revisioning 6.x-3.14

See also the Revisioning project page.

Reported by

• Justin C. Klein Keane

Fixed by

• Justin C. Klein Keane
• Rik de Boer, the module maintainer

Coordinated by

• Dylan Tack of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-017
• Project: Finder (third-party module)
• Version: 6.x, 7.x
• Date: 2012-February-08
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting, Arbitrary PHP code execution, Multiple vulnerabilities

Description

Finder is a Drupal module that allows users to create faceted search forms. The module's autocomplete, checkbox, and radio button functionalities previously did not sanitize the output of fields and raw database values.

In addition, users with the "administer finder" permission were able to execute arbitrary code through a PHP import interface; specific PHP execution permissions were not required.

Versions affected

• Finder 6.x-1.x prior to 6.x-1.26
• Finder 7.x-1.x versions (all)
• Finder 7.x-2.x versions prior to 7.x-2.0-alpha8

Drupal core is not affected. If you do not use the contributed Finder module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Finder module for Drupal 6.x, upgrade to Finder 6.x-1.26.
• If you use the Finder module for Drupal 7.x, upgrade to Finder 7.x-2.0-alpha8.

See also the Finder project page.

Reported by

• Justin C. Klein-Keane

Fixed by

• Daniel Braksator the module maintainer

Coordinated by

• Greg Knaddison and Forest Monsen of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-016
• Project: Forward (third-party module)
• Version: 6.x, 7.x
• Date: 2012-February-01
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Access bypass, Cross Site Request Forgery

Description

The Forward module enables you to add a "forward this page" link to each node. The link takes regular site visitors to a form where they can generate an email to a friend. The module exhibits multiple vulnerabilities as described below.

The module includes "Recent forwards" and "Most forwarded" blocks that display the titles of the most recently forwarded nodes and the nodes forwarded the most for all time. The module doesn't check that site visitors have permissions to view the node titles listed in these blocks, resulting in an access bypass. This vulnerability is mitigated by the fact that these blocks are disabled by default.

The module includes a "Dynamic Block" feature which adds a listing of the top 5 node titles to the bottom of the generated email to a friend. The module doesn't sufficiently check that the email recipient has permission to view the node titles included in the block, resulting in an access bypass. This vulnerability is mitigated by the fact that the Dynamic Block feature is disabled by default.

The module includes clickthrough tracking so that the site administrator can determine which emails are generating the most clicks back to the site. The tracking code is vulnerable to CSRF because it uses a publicly available link that could be manipulated to falsely boost the perceived importance of a node.

Versions affected

• Forward 6.x-1.x versions prior to 6.x-1.21
• Forward 7.x-1.x versions prior to 7.x-1.3

Drupal core is not affected. If you do not use the contributed Forward module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Forward module for Drupal 6.x, upgrade to Forward 6.x-1.21
• If you use the Forward module for Drupal 7.x, upgrade to Forward 7.x-1.3

The upgrade is "code only" and does not require running the database update script.

IMPORTANT: Administrators of sites that rely on the Dynamic Block access bypass to operate correctly need to visit the Forward configuration page and explicitly select the Dynamic Block Access Control bypass option after upgrading. This should be rare, so most site administrators can simply upgrade the module without the need for additional configuration.

See also the Forward project page.

Reported by

• Greg Knaddison (greggles) of the Drupal Security Team

Fixed by

• John Oltman the module maintainer

Coordinated by

• Greg Knaddison (greggles) of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CORE-2012-001
• Project: Drupal core
• Version: 6.x, 7.x
• Date: 2012-February-01
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities

Description Cross Site Request Forgery vulnerability in Aggregator module

CVE: CVE-2012-0826
An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service.

This issue affects Drupal 6.x and 7.x.

OpenID not verifying signed attributes in SREG and AX

CVE: CVE-2012-0825
A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users' information.

This issue affects Drupal 6.x and 7.x.

Access bypass in File module

CVE: CVE-2012-0827
When using private files in combination with certain field access modules, the File module will allow users to download the file even if they do not have access to view the field it was attached to.

This issue affects Drupal 7.x only.

Versions affected

• Drupal 6.x core prior to 6.23.
• Drupal 7.x core prior to 7.11.

Solution

Install the latest version:

• If you use Drupal 6.x upgrade to 6.23
• If you use Drupal 7.x upgrade to 7.11

See also the Drupal core project page.

Reported by

• The Aggregator module CSRF vulnerability was reported by Dylan Tack of the Drupal Security Team.
• The OpenID vulnerability was reported by Rui Wang, Shuo Chen and Xiao Feng Wang.
• The File module access bypass issue was reported by David Rothstein of the Drupal Security Team, and by Sascha Grossenbacher.

Fixed by

• Aggregator CSRF issue fixed by Dave Reid of the Drupal Security Team
• OpenID issue fixed by Vojtech Kusy and Christian Schmidt
• The File module access bypass issue was fixed by David Rothstein of the Drupal Security Team, Sascha Grossenbacher, and Derek Wright of the Drupal Security Team.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CORE-2012-001
• Project: Drupal core
• Version: 6.x, 7.x
• Date: 2012-February-01
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities

Description Cross Site Request Forgery vulnerability in Aggregator module

CVE: CVE-2012-0826
An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service.

This issue affects Drupal 6.x and 7.x.

OpenID not verifying signed attributes in SREG and AX

CVE: CVE-2012-0825
A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users' information.

This issue affects Drupal 6.x and 7.x.

Access bypass in File module

CVE: CVE-2012-0827
When using private files in combination with certain field access modules, the File module will allow users to download the file even if they do not have access to view the field it was attached to.

This issue affects Drupal 7.x only.

Versions affected

• Drupal 6.x core prior to 6.23.
• Drupal 7.x core prior to 7.11.

Solution

Install the latest version:

• If you use Drupal 6.x upgrade to 6.23
• If you use Drupal 7.x upgrade to 7.11

See also the Drupal core project page.

Reported by

• The Aggregator module CSRF vulnerability was reported by Dylan Tack of the Drupal Security Team.
• The OpenID vulnerability was reported by Rui Wang, Shuo Chen and Xiao Feng Wang.
• The File module access bypass issue was reported by David Rothstein of the Drupal Security Team, and by Sascha Grossenbacher.

Fixed by

• Aggregator CSRF issue fixed by Dave Reid of the Drupal Security Team
• OpenID issue fixed by Vojtech Kusy and Christian Schmidt
• The File module access bypass issue was fixed by David Rothstein of the Drupal Security Team, Sascha Grossenbacher, and Derek Wright of the Drupal Security Team.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-015
• Project: Managesite (third-party module)
• Version: 6.x
• Date: 2012-January-25
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

Description

This module provides a way to build a control panel similar to the one provided by Drupal 7 on the admin zone (/admin). The module doesn't sufficiently filter user supplied text in the administration settings. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer managesite".

Versions affected

• Managesite 6.x-1.x versions prior to 6.x-1.1.

Drupal core is not affected. If you do not use the contributed Managesite module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Managesite module for Drupal 6.x, upgrade to Managesite 6.x-1.1

See also the Managesite project page.

Reported by

• Justin Klein Keane

Fixed by

• jacinto capote robles the module maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-014
• Project: Drupal Commerce (third-party module)
• Version: 7.x
• Date: 2012-January-25
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

Description

Drupal Commerce is a flexible eCommerce framework built on Drupal 7 that lets you construct any type of eCommerce website. Part of its flexibility lies in its ability to render product fields into node displays through the product reference field used to build dynamic Add to Cart forms. In Drupal Commerce 1.1 this feature was expanded to also incorporate the "extra fields" of products, i.e. the product title and SKU.

The theme functions used to render product titles and SKUs prints those variables to the page without properly sanitizing them first. A user with the proper permissions could create a product that ends up in a node display where a malicious title or SKU is rendered.

This vulnerability is mitigated by the fact that the attacker must have a role with a product creation permission, and since Drupal Commerce 1.1, the site must have been updated to make use of these extra fields in product display nodes as they default to being hidden on all product displays.

Versions affected

• Drupal Commerce version 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Drupal Commerce module, there is nothing you need to do.

Solution

Install the latest version:

• If you use Drupal Commerce 7.x-1.1, upgrade to Drupal Commerce 7.x-1.2

See also the Drupal Commerce project page.

Reported by

• Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team

Fixed by

• Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team
• Ryan Szrama (rszrama) the module maintainer

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-013
• Project: Search Autocomplete (third-party module)
• Version: 7.x
• Date: 2012-January-25
• Security risk: Critical
• Exploitable from: Remote
• Vulnerability: SQL Injection

Description

The Search Autocomplete module allows you to add autocomplete functionality to the search fields of a Drupal site.

Search Autocomplete does not properly use Drupal's database API, making it possible for a malicious user to carryout SQL injection on the site. This vulnerability is mitigated by the fact that users must have a role with permission "use search_autocomplete" to exploit.

Versions affected

• Search Autocomplete versions prior to 7.x-2.1.

Drupal core is not affected. If you do not use the contributed Search Autocomplete module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Search Autocomplete module for Drupal 7.x, upgrade to Search Autocomplete 7.x-2.1

See the Search Autocomplete project page for more information.

Reported by

• Miguel Hermo (serans)

Fixed by

• Dominique Clause (Miroslav Talenberg) the module maintainer
• Miguel Hermo (serans)

Coordinated by

• Ben Jeavons of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-012
• Project: Quick Tabs (third-party module)
• Version: 6.x, 7.x
• Date: 2012-January-18
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

Description

The Quick Tabs module allows users to create blocks of tabbed content, specifying a title for the block and the individual tabs.
Quick Tabs does not do sufficient filtering of user supplied text which presents a cross site scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a user account with a role permitted to create or edit a Quicktabs instance.

Versions affected

• Quicktabs 6.x-2.x versions prior to 6.x-2.1.
• Quicktabs 6.x-3.x versions prior to 6.x-3.1.
• Quicktabs 7.x-3.x versions prior to 7.x-3.3.

Drupal core is not affected. If you do not use the contributed Quick Tabs module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Quicktabs 2.x module for Drupal 6.x, upgrade to Quicktabs 6.x-2.1
• If you use the Quicktabs 3.x module for Drupal 6.x, upgrade to Quicktabs 6.x-3.1
• If you use the Quicktabs 3.x module for Drupal 7.x, upgrade to Quicktabs 7.x-3.3

See also the Quick Tabs project page.

Reported by

• Owen Barton of the Drupal Security Team
• Michael Smith

Fixed by

• Katherine Bailey the module maintainer
• Michael Smith

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-011
• Project: Panels (third-party module)
• Version: 6.x
• Date: 2012-January-18
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

Description

The Panels module allows a site administrator to create customized layouts for multiple uses.
The module doesn't sufficiently sanitize administrator supplied data.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer panel layouts".

Versions affected

• Panels 6.x-2.x versions prior to 6.x-3.10.

Drupal core is not affected. If you do not use the contributed Panels module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Panels module for Drupal 6.x, upgrade to Panels 6.x-3.10

See also the Panels project page.

Reported by

• Justin Klein Keane

Fixed by

• Justin Klein Keane
• Earl Miles the module maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-010
• Project: stickynote (third-party module)
• Version: 7.x
• Date: 2012-January-17
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting, Cross Site Request Forgery

Description

This module enables you to add textual notes in a block to perform quality assurance of your site.
Previously it did not sufficiently protect against Cross Site Scripting (XSS) or Cross Site Request Forgery (CSRF).
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "delete stickynotes" or "edit stickynotes".

Versions affected

• Stickynote 7.x-1.x versions prior to 7.x-1.1

Drupal core is not affected. If you do not use the contributed stickynote module, there is nothing you need to do.

Solution

Install the latest version:

• If you use Stickynote version 7.x-1.x download 7.x-1.1.

See also the stickynote project page.

Reported by

• Greg Knaddison of the Drupal Security Team

Fixed by

• Luke Herrington the module maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-009
• Project: Revisioning (third-party module)
• Version: 7.x
• Date: 2012-January-18
• Security risk: Less critical
• Exploitable from: Remote
• Vulnerability: Access bypass

Description

This module enables you to create moderation publication workflows, allowing authors to create content that isn't visible to the public until it has been approved by a moderator/publisher.

The module's implementation of hook_node_access() assumes that access is to granted/denied based on the logged-in user's permissions. However, the hook may be invoked in contexts whereby the access grants are to be returned for a particular account passed into the hook. This could result in an access bypass vulnerability if node_access() is called for a specific user account.

This vulnerability happens when using the XML sitemap module which as a result will disclose the URLs of un-accessible or unpublished content to anonymous users. The actual content itself is not disclosed.

Versions affected

• Revisioning 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Revisioning module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Revisioning module for Drupal 7.x, upgrade to Revisioning 7.x-1.3.

See also the Revisioning project page.

Reported by

• Dave Reid, Drupal Security Team member
• Adam Bramley

Fixed by

• Dave Reid, Drupal Security Team member
• Rik de Boer, module maintainer

Coordinated by

• Dave Reid, Drupal Security Team member

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-PSA-2012-001
• Project: Drupal core
• Version: 6.x, 7.x
• Date: 2012-01-11
• Security risk: Less critical
• Exploitable from: Remote
• Vulnerability: Denial of Service

Description

PHP is vulnerable to a hash collision denial of service (DOS) attack. If an attacker can post a large amount of specifically chosen variables to the site, a large amount of CPU time is consumed preventing service to visitors.

Many users deploy the Suhosin PHP extension to limit the amount of posted variables that will be handled by PHP, thus preventing the DOS attack.

There's an unfortunate interaction with the mbstring extension required by Drupal to work with UTF-8. When the setting mbstring.encoding_translation is updated via .htaccess the mbstring extension changes the PHP POST handlers so that only every other POST variable can be handled by Suhosin.

While Suhosin will still remove half of the variables over the post.max_vars limit, it is ultimately unsuccesful in limiting the amount of posted variables and thus in preventing the hash collision DOS attack.

Versions affected

All versions

Solution

Confirm that the master value of mbstring.encoding_translation is set to Off via:

• Drupal 7: Reports > Status, then More information on the PHP version (admin/reports/status/php)
• Drupal 6: Administer > Reports > Status report, then follow the link on the PHP version (admin/reports/status/php)

Next, remove the lines from the file .htaccess in the Drupal root.

For Drupal 7.x remove the lines:
php_flag mbstring.encoding_translation off

For Drupal 6.x remove the lines:
php_value mbstring.encoding_translation 0

If the master value of mbstring.encoding_translation is On, change it to Off via PHP.ini. Contact your hosting provider if necessary.

If you do not use Suhosin, limit the amount of variables posted to your site in another way. You should consider upgrading to PHP 5.3.9 and using its newly introduced directive 'max_input_vars'.

Please note that setting such limits too low (whether via Suhosin or PHP) can break processing on long forms like the permissions administration screen.

It is likely that the near-future will see an update to Suhosin, making the procedure described in this PSA unnecessary.

See also the Drupal core project page.

Reported by

• Dominic Böttger

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-008
• Project: Video Filter (third-party module)
• Version: 6.x, 7.x
• Date: 2012-JANUARY-11
• Security risk: Less critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

Description

The Video Filter module lets you display videos from various third party sources. When videos from Blip.tv are shown, the module fails to sanitize source data before display.

This vulnerability is mitigated by the fact that the attacker has to be able to either control the source of third party data (such as via DNS hijack) or manipulate it in transit.

Versions affected

• Video Filter 6.x-2.x and 6.x-3.x versions prior to 6.x-3.0.
• Video Filter 7.x-2.x and 7.x-3.x versions prior to 7.x-3.0.

Drupal core is not affected. If you do not use the contributed Video Filter module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Video Filter module for Drupal 6.x, upgrade to Video Filter 6.x-3.0
• If you use the Video Filter module for Drupal 7.x, upgrade to Video Filter 7.x-3.0

See also the Video Filter project page.

Reported by

• Justin Klein Keane

Fixed by

• Justin Klein Keane
• Hans Nilsson, module maintainer

Coordinated by

• Dave Reid, Drupal Security Team member

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-007
• Project: Password policy (third-party module)
• Version: 6.x
• Date: 2012-January-11
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting, Cross Site Request Forgery

Description

This module enables you to specify a certain level of password complexity (aka. "password hardening") for user passwords on a system by defining a policy.

Cross Site Request Forgery (CSRF)

Unblocking a user does not require sufficient confirmation by administrative users and can be exploited with a specially crafted URL.

Cross Site Scripting (XSS)

The module doesn't sufficiently sanitize the name of password policies. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer policies".

This issue also affects the 7.x branch which is only in beta release. Users of non-stable releases are encouraged to upgrade frequently as those releases are not covered by the Drupal Security Team policy.

Versions affected

• Password Policy 6.x-1.x versions prior to 6.x-1.4.

Drupal core is not affected. If you do not use the contributed Password policy module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Password Policy module for Drupal 6.x, upgrade to Password Policy 6.x-1.4.

Clear the site's cache:
visit Administer > Site Configuration > Performance and click "Clear cached data."

See also the Password policy project page.

Reported by

• Greg Knaddison of the Drupal Security Team

Fixed by

• Erik Webb the module co-maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-006
• Projects: SuperCron, Taxotouch, Taxonomy Navigator, Admin:hover (third-party modules)
• Version: 6.x, 7.x
• Date: 2012-January-11
• Security risk: Critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting, Cross Site Request Forgery

Description

SuperCron is a complete replacement for Drupal's built-in Cron functionality. The module is vulnerable to Cross Site Scripting. The vulnerability is mitigated by an attacker needing to gain an account with "access administration pages" permission.

Taxotouch helps you navigate taxonomy. The module is vulnerable to Cross Site Scripting. The vulnerability is mitigated by an attacker needing to gain an account with the ability to create a vocabulary or taxonomy terms.

Taxonomy Navigatorshows terms from a vocabulary. The module is vulnerable to Cross Site Scripting. The vulnerability is mitigated by an attacker needing to gain an account with the ability to create a vocabulary or taxonomy terms.

Admin:hover allows admins to easily publish/unpublish nodes. The module is vulnerable to Cross Site Request Forgeries which would allow an attacker to trick an admin into executing enabled actions such as unpublishing all nodes.

Versions affected

All versions of all four modules are affected by vulnerabilities.

Drupal core is not affected. If you do not use one of the contributed modules listed above, there is nothing you need to do.

Solution

Users of these modules are encouraged to disable the modules and search for similar alternatives. Users of the module who wish to take over maintainership should post patches to the issue queue to fix the security issues and request maintenance following the Abandoned project process

Reported by

• The Supercron issue was prematurely disclosed publicly outside of the security issue reporting process
• Admin:hover issue reported by Ivo Van Geertruyen of the Drupal Security Team
• Taxotouch issue reported by Dylan Tack of the Drupal Security Team
• Taxonomy Navigator issue reported by Dylan Tack of the Drupal Security Team

Fixed by

No fixes created.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-005
• Project: Vote Up/Down (third-party module)
• Version: 6.x
• Date: 2012-January-11
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

Description

This module enables you to add voting widgets to nodes, terms and comments.
The vud_term sub-module doesn't sufficiently sanitize taxonomy terms before display.
In order to execute arbitrary script injection malicious users must have the ability to create or edit taxonomy terms.

Versions affected

• Vote up/down 6.x-2.x versions prior to 6.x-2.8.
• Vote up/down 6.x-3.x versions prior to 6.x-3.1.

Drupal core is not affected. If you do not use the contributed Vote Up/Down module, there is nothing you need to do.

Solution

Install the latest version:

• If you use a 6.x-2.x version of Vote up/down module for Drupal 6.x, upgrade to Vote up/down 6.x-2.8.
• If you use a 6.x-3.x version of Vote up/down module for Drupal 6.x, upgrade to Vote up/down 6.x-3.1.

See also the Vote Up/Down project page.

Reported by

• Justin C. Klein Keane

Fixed by

• Marco Villegas the module maintainer
• Greg Knaddison of the Drupal Security Team

Coordinated by

• Greg Knaddison, Drupal security team member

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-004
• Project: Date (third-party module)
• Version: 6.x
• Date: 2012-January-11
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: SQL Injection

Description

This module enables you to add and administer date fields to nodes. It includes Date Tools, that allows users to convert nodes created with the Event module into Date fields. The conversion form for Events is vulnerable to SQL injection.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer Date Tools", and the option is only available on sites which have used the Event module in the past and have the Event table in the database.

Versions affected

• Date 6.x-2.x versions prior to 6.x-2.8.

Drupal core is not affected. If you do not use the contributed Date module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Date module for Drupal 6.x, upgrade to Date 6.x-2.8

See also the Date project page.

Reported by

• Greg Knaddison, Drupal security team member

Fixed by

• Karen Stevenson, the module maintainer

Coordinated by

• Michael Hess, Drupal security team member

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-003
• Project: Fill PDF (third-party module)
• Version: 6.x, 7.x
• Date: 2012-JANUARY-04
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Access bypass, Arbitrary code execution

Description

This module enables you to populate fillable PDF templates with data from nodes and webforms.

Access bypass (7.x only)

Incorrectly-ordered arguments in a call to the function that handles the main functionality of the module makes it possible for an attacker to trigger any PDF to be filled, regardless of whether they have access to the node/webform or not, by passing an appropriately-formed query string argument.

This vulnerability is mitigated by the fact that an attacker can only access configured PDF templates, that the attacker must know (or brute-force) the node or webform IDs, and that only information that is configured to be filled into the PDFs (and the filled PDF templates themselves) can be obtained through this exploit.

Arbitrary code execution (6.x and 7.x)

The template importing and exporting used serialized PHP which required the use of an unsafe PHP function to evaluate and import templates, which could lead to execution of unwanted and untrusted code. This vulnerability is mitigated by the fact that the attacker must have the 'administer PDFs' permission.

Versions affected

• Fill PDF 6.x-1.x versions prior to 6.x-1.16.
• Fill PDF 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Fill PDF module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Fill PDF module for Drupal 6.x, upgrade to Fill PDF 6.x-1.16.
• If you use the Fill PDF module for Drupal 7.x, upgrade to Fill PDF 7.x-1.2.

See also the Fill PDF project page.

Reported by

• Access bypass reported by Christian Johansson
• Arbitrary code execution reported by Liam Morland

Fixed by

• Kevin Kaland (wizonesolutions), module maintainer
• Arbitrary code execution fixed by Liam Morland

Coordinated by

• Dave Reid, Drupal Security team member

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-002
• Project: Lingotek Collaborative Translation (third-party module)
• Version: 6.x
• Date: 2012-January-04
• Security risk: Critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

Description

This module enables you to translate a website's content using tools provided by the Lingotek Collaborative Translation Network.

The module doesn't sufficiently sanitize user input when creating or editing page content. This allows a malicious content editor to potentially input malicious code (e.g. Javascript) to create a persistent Cross Site Scripting (XSS) attack.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to edit or create node content types.

Versions affected

• Lingotek 6.x-1.x versions prior to 6.x-1.4 6.x-1.40.

Drupal core is not affected. If you do not use the contributed Lingotek Collaborative Translation module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Lingotek module for Drupal 6.x, upgrade to Lingotek 6.x-1.4 Lingotek 6.x-1.40.

See also the Lingotek Collaborative Translation project page.

Reported by

• Ezra Barnett Gildesgame

Fixed by

• Steven Blatnick the module maintainer

Coordinated by

• Forest Monsen of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.