Feed aggregatorSources

Drupal contributed modules

Syndicate content
URL: http://drupal.org/security/contrib
Updated: 21 hours 52 min ago

SA-CONTRIB-2012-082 - Zen - Cross Site Scripting

Wed, 05/16/2012 - 20:38
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-082
  • Project: Zen (third-party theme)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

CVE: Requested.

The Zen theme provides a configurable breadcrumb which is commonly used as an additional navigation tool for users.

The theme outputs the breadcrumb, but does not provide sufficient filtering to prevent a Cross site scripting (XSS) attack.

This vulnerability is mitigated by the fact that the "Append the content title to the end of the breadcrumb" checkbox is not enabled by default and needs to be enabled for this to be exploited.

Versions affected
  • Zen 6.x-1.x versions prior to 6.x-1.1

Drupal core is not affected. Zen versions 6.x-2.x are not affected. If you do not use the contributed Zen theme, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Zen theme for Drupal 6.x, upgrade to theme 6.x-1.1 or any later version.

If you copied code from the zen_breadcrumb function into a custom sub-theme's template.php file you should compare your code to the changes to ensure that menu_get_active_title() is properly wrapped in check plain like:

check_plain(menu_get_active_title());

Also see the Zen project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: security

SA-CONTRIB-2012-081 - Aberdeen - Cross Site Scripting

Wed, 05/16/2012 - 20:38
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-081
  • Project: Aberdeen (third-party theme)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

CVE: Requested.

The Aberdeen theme provides a configurable breadcrumb which is commonly used as an additional navigation tool for users.

The theme outputs the breadcrumb, but does not provide sufficient filtering to prevent a Cross site scripting (XSS) attack.

This vulnerability is mitigated by the fact that the "Append the content title to the end of the breadcrumb" checkbox is not enabled by default and needs to be enabled for this to be exploited.

Versions affected
  • Aberdeen 6.x-1.x versions prior to 6.x-1.11

Drupal core is not affected. If you do not use the contributed Aberdeen theme, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Aberdeen theme for Drupal 6.x, upgrade to theme 6.x-1.11

If you copied code from the aberdeen_breadcrumb function into a custom sub-theme's template.php file you should compare your code to the changes to ensure that menu_get_active_title() is properly wrapped in check plain like:

check_plain(menu_get_active_title());

Also see the Aberdeen project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: security

SA-CONTRIB-2012-080 - Hostmaster (Aegir) - Access Bypass and Cross Site Scripting (XSS)

Wed, 05/16/2012 - 16:35
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-080
  • Project: Hostmaster (Aegir) (third-party module)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description Cross Site Scripting

CVE: Requested.

Hostmaster displays a log from tasks executed in Aegir's backend component, provision. In certain circumstances these log messages were not escaped properly before being displayed to the user. This vulnerability is mitigated by the fact that people wishing to exploit this must have access to the PHP code of either provision itself or one of the sites hosted by Aegir.

Access Bypass

CVE: Requested.

Hostmaster doesn't allow people to edit or create certain node types that are used for the internal representation of data. The implementation of this wasn't fully complete and would still allow privileged users to edit these nodes. This can cause some data corruption in the front-end, leading to tasks that would appear to never finish running. This vulnerability is mitigated by the fact that people wishing to exploit this must have the 'edit package' or 'administer nodes' permissions, which are not given to any roles by the default Aegir install.

Versions affected
  • Hostmaster 6.x-1.x versions prior to 6.x-1.9.

Drupal core is not affected. If you do not use the contributed Hostmaster (Aegir) module, there is nothing you need to do.

Solution

Follow the upgrade instructions in the release notes for the Aegir 1.9 release which can be found at: http://community.aegirproject.org/1.9

Also see the Hostmaster (Aegir) project page.

Reported by
  • The Cross Site Scripting vulnerability was reported by Steven Jones one of the module maintainers.
  • The Access Bypass vulnerability was reported by Ivo Van Geertruyen of the Drupal Security Team.
Fixed by
  • The Cross Site Scripting vulnerability was fixed by Steven Jones one of the module maintainers.
  • The Access Bypass vulnerability was fixed by Ivo Van Geertruyen of the Drupal Security Team and mig5 one of the module maintainers.
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: security

SA-CONTRIB-2012-079 - Post Affiliate Pro - Cross Site Scripting (XSS) and Access Bypass - Unsupported

Wed, 05/16/2012 - 16:21
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-079
  • Project: Post Affiliate Pro (third-party module)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting, Access bypass
Description

CVE: Requested.

Post Affiliate Pro (PAP) is a module providing affiliate functionality for Ubercart and Post Affiliate Pro application.
The module doesn't sufficiently filter user supplied text provided by users registering on the site and also allows unauthorized users to view other user's commission.

Versions affected
  • All versions of the module.

Drupal core is not affected. If you do not use the contributed Post Affiliate Pro module, there is nothing you need to do.

Solution

The module is no longer supported. Users should disable it. Users interested in continuing to use it should see the project page for more information.

Also see the Post Affiliate Pro project page.

Reported by Fixed by

No fix was provided.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: security

SA-CONTRIB-2012-078 - Smart Breadcrumb - Cross Site Scripting (XSS)

Wed, 05/16/2012 - 15:30
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-078
  • Project: Smart Breadcrumb (third-party module)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

CVE: Requested.

The function filter_titles() incorrectly attempts to set a title to plain-text, but does not properly filter user supplied text.

This vulnerability is mitigated by the fact that an attacker must have the permission to create or edit a node to exploit the issue.

Versions affected
  • Smart Breadcrumb 6.x-2.x versions prior to 6.x-1.3.

Drupal core is not affected. If you do not use the contributed Smart Breadcrumb module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Smart Breadcrumb project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: security

SA-CONTRIB-2012-77 - Advertisement - Cross Site Scripting & Information Disclosure

Wed, 05/16/2012 - 15:16
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-077
  • Project: Advertisement (third-party module)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting, Information Disclosure, Multiple vulnerabilities
Description

CVE: Requested.

This module enables you to serve advertisements, define pools of ads and show certain ads on certain pages.
The module could, under certain conditions, expose limited site configuration information and a debugging mode did not sufficiently sanitize input, allowing for potential cross-site scripting (XSS).
This vulnerability is mitigated by the fact that exposed data must have been explicitly set in the $conf variable in settings.php.

Versions affected
  • Advertisement 6.x-2.x versions prior to 6.x-2.2.

Drupal core is not affected. If you do not use the contributed Advertisement module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Advertisement project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: security

SA-CONTRIB-2012-076 - Ubercart Product Keys Access Bypass

Wed, 05/16/2012 - 15:07
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-076
  • Project: Ubercart Product Keys (third-party module)
  • Version: 6.x
  • Date: 2012-May-16
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

CVE: Requested.

This module enables you to sell product keys from an Ubercart store.

Under certain circumstances, a user can view all unassigned product keys which could grant them access to the software circumventing the process of selling the key.

Versions affected
  • Ubercart Product Keys 6.x-1.x versions prior to 6.x-1.1.

Drupal core is not affected. If you do not use the contributed Ubercart Product Keys module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Ubercart Product Keys project page.

Reported by
  • Daniel Glucksman
Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: security

SA-CONTRIB-2012-075 - Take Control - Cross Site Request Forgery (CSRF)

Wed, 05/09/2012 - 16:40
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-075
  • Project: Take Control (third-party module)
  • Version: 6.x
  • Date: 2012-May-09
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Request Forgery
Description

CVE: CVE-2012-2341

This module enables you to manage your Drupal file-system from within Drupal itself.
The module does not sufficiently validate Ajax calls leading to possibility of a Cross Site Request Forgery CSRF attack.
This vulnerability is mitigated by the fact that the attacker must be able to guess your Drupal file-system root path exactly. Further, if your site follows the secure file-system permissions recommendations and the web-server account does not have write access to Drupal root, only files/folders in Drupal's "files" directory are open to manipulation.

Versions affected
  • Take Control 6.x-2.x versions prior to 6.x-2.2.

Drupal core is not affected. If you do not use the contributed Take Control module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Take Control project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: security

SA-CONTRIB-2012-074 - Contact Forms - Access Bypass

Wed, 05/09/2012 - 16:36
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-074
  • Project: Contact Forms (third-party module)
  • Version: 7.x
  • Date: 2012-May-09
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

CVE: CVE-2012-2340

This module expands the features of the site wide contact form. It eliminates the drop down category menu by generating a clean looking contact form (without a drop down menu) with a unique path for each of the contact form categories.
The module allowed users to edit the Contact Form settings if they have permission to 'access the site-wide contact form' instead of more appropriate 'Administer contact forms and contact form settings' permission.
This vulnerability is only mitigated by the fact that an attacker must know the correct url to access the Contact Forms settings page (though it is the same on all Drupal sites).

Versions affected
  • Contact Forms 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Contact Forms module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Contact Forms project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: security

SA-CONTRIB-2012-073 - Glossary - Cross-Site Scripting (XSS)

Wed, 05/09/2012 - 16:24
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-073
  • Project: Glossary (third-party module)
  • Version: 6.x
  • Date: 2012-May-09
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

CVE: CVE-2012-2339

The glossary module scans posts for glossary terms, adding an indicator. By hovering over the indicator, users may learn the definition of that term.

The module does not sufficiently sanitize the taxonomy information. This leaves sites vulnerable to Cross-Site Scripting attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with permissions to create or edit taxonomy terms.

Versions affected
  • Glossary 6.x-1.x versions prior to 6.x-1.8.

Drupal core is not affected. If you do not use the contributed Glossary module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Glossary project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: security

SA-CONTRIB-2012-072 - cctags - Cross Site Scripting (XSS)

Wed, 05/02/2012 - 19:36
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-072
  • Project: cctags (third-party module)
  • Version: 6.x, 7.x
  • Date: 2012-May-02
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

CVE: CVE-2012-2310

This module enables you to create "tag clouds" with taxonomy terms displayed in different sizes depending on how frequently they are used on a site.
The module doesn't sufficiently filter user supplied text leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the ability to create or edit vocabularies or terms.

Versions affected
  • cctags 6.x-1.x versions prior to 6.x-1.10.
  • cctags 7.x-1.x versions prior to 7.x-1.10.

Drupal core is not affected. If you do not use the contributed cctags module, there is nothing you need to do.

Solution

Install the latest version:

Also see the cctags project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: security

SA-CONTRIB-2012-071 - Glossify - Cross Site Scripting (XSS) - Unsupported

Wed, 05/02/2012 - 14:34
Description

CVE: CVE-2012-2309

This module generates internal node to node, node to taxonomy or node to external URL links (crosslinks) automatically - ideal for SEO of your site's pages and partner pages.
This module does not protect against an Cross Site Scripting (XSS) attack. The vulnerability is mitigated by the fact that the attacker must be able to create or edit any of: content (nodes), vocabularies, or terms.

Versions affected
  • 6.x-2.5 and before

Drupal core is not affected. If you do not use the contributed Glossify Internal Links Auto SEO module, there is nothing you need to do.

Solution

Uninstall the module, it is no longer supported.

Also see the Glossify Internal Links Auto SEO project page.

Reported by
  • Andrei Turcanu
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: security

SA-CONTRIB-2012-070 - Taxonomy Grid : Catalog - Cross Site Scripting (XSS) - Unsupported

Wed, 05/02/2012 - 14:33
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-070
  • Project: Taxonomy Grid : Catalog (third-party module)
  • Version: 6.x
  • Date: 2012-May-02
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

CVE: CVE-2012-2308

This module provides a page where you can see each content types you've selected under terms from vocabularies you've selected.
This module does not properly filter user supplied text resulting in a Cross Site scripting bug. This vulnerability is mitigated by the fact that an attacker would need the ability to create or edit a vocabulary or term.

Versions affected
  • 6.x-1.6 and before

Drupal core is not affected. If you do not use the contributed Taxonomy Grid : Catalog module, there is nothing you need to do.

Solution

Uninstall the module

Also see the Taxonomy Grid : Catalog project page.

Reported by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: security

SA-CONTRIB-2012-069 - Addressbook - Multiple vulnerabilities - Unsupported

Wed, 05/02/2012 - 14:31
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-069
  • Project: Addressbook (third-party module)
  • Version: 6.x
  • Date: 2012-May-02
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting, Cross Site Request Forgery, SQL Injection
Description

This module contains a simple addressbook.
The module has multiple issues including SQL Injection and Cross Site Request Forgery.

For the SQL Injection issue -
CVE: CVE-2012-2306
For the CSRF issue -
CVE: CVE-2012-2307

Versions affected
  • 6.x-4.2 and before

Drupal core is not affected. If you do not use the contributed Addressbook module, there is nothing you need to do.

Solution

This module is not supported. Uninstall the module.

Also see the Addressbook project page.

Reported by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: security

SA-CONTRIB-2012-068 - Node Gallery - Cross Site Request Forgery (CSRF) - Unsupported

Wed, 05/02/2012 - 14:09
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-068
  • Project: Node Gallery (third-party module)
  • Version: 6.x
  • Date: 2012-May-02
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Request Forgery
Description

CVE: CVE-2012-2305

Node gallery enable users to create a more flexible and powerful gallery that are fully integrated with Drupal's core node system.
This module does not protect a CSRF attack when creating node galleries.

Versions affected
  • 6.x-3.1 and before

Drupal core is not affected. If you do not use the contributed Node Gallery module, there is nothing you need to do.

Solution

Uninstall the module, this module is no longer supported.

Also see the Node Gallery project page.

Reported by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: security

SA-CONTRIB-2012-067 - Linkit - Access bypass

Wed, 04/25/2012 - 19:29
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-067
  • Project: Linkit (third-party module)
  • Version: 7.x
  • Date: 2012-April-25
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

CVE: CVE-2012-2304

Linkitprovides an easy interface for internal and external linking. Linkit links to nodes, users, managed files, terms and have basic support for all entities by default, using an autocomplete field.

When searching for entities, no access restrictions were added and users may see information about content that they do not normally have access to see. This issue only affects sites using an entity access module to limit access to content for some users.

Versions affected
  • Linkit 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Linkit module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Linkit module for Drupal 7.x, upgrade to Linkit 7.x-2.3

Also see the Linkit project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: security

SA-CONTRIB-2012-066 - Spaces and Spaces OG - Access Bypass

Wed, 04/25/2012 - 19:26
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-066
  • Project: Spaces (third-party module)
  • Version: 6.x
  • Date: 2012-April-25
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

CVE: CVE-2012-2303

Spaces is an API module intended to make configuration options generally avaliable only at the sitewide level to be configurable and overridden by individual "spaces" on a Drupal site.

The spaces and spaces_og modules (part of the spaces package) in some cases do not apply the expected spaces access permission to pages that are non-objects (e.g. /node)

This vulnerability is mitigated by the fact that node_access and user profile permissions will prevent node or user data from being exposed, but other information (e.g. block data,etc) is still displayed. This issue only affects sites using spaces to limit access to content for some users.

Versions affected
  • Spaces 6.x-3.x versions prior to 6.x-3.4.

Drupal core is not affected. If you do not use the contributed Spaces module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Spaces module for Drupal 6.x, upgrade to Spaces 6.x-3.4

Also see the Spaces project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: security

SA-CONTRIB-2012-065 - Sitedoc - Information disclosure

Wed, 04/25/2012 - 19:14
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-065
  • Project: Site Documentation (third-party module)
  • Version: 6.x
  • Date: 2012-April-25
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure
Description

This module enables you to display a plethora of information about your site's structure. Optionally, the information may be saved into a file for later comparison.

The module doesn't sufficiently verify that the saved file is protected by the Private File System.

This vulnerability is mitigated by the fact that the administrator must have configured the module to save the HTML report file to disk.

Versions affected
  • Sitedoc 6.x-1.x versions prior to 6.x-1.4.

Drupal core is not affected. If you do not use the contributed Site Documentation module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Sitedoc module for Drupal 6.x, upgrade to Sitedoc 6.x-1.4, and
  • Enable the private file system if you want to save the output file.

Also see the Site Documentation project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: security

SA-CONTRIB-2012-064 - Ubercart - Multiple vulnerabilities

Wed, 04/25/2012 - 19:04
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-064
  • Project: Ubercart (third-party module)
  • Version: 6.x, 7.x
  • Date: 2012-April-25
  • Security risk: Moderately critical
  • Exploitable from: Varies (Local & Remote)
  • Vulnerability: Cross Site Scripting, Arbitrary PHP code execution, Multiple vulnerabilities
Description

The Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal. Parts of Ubercart were vulnerable to a Failure to encrypt data, Cross Site Scripting, and an Arbitrary PHP Execution vulnerability.

Failure to encrypt data: Exploitable from local

Passwords supplied by new customers during checkout were stored as plain text until payment was completed for an order, for a maximum of 15 minutes. This vulnerability is not exploitable remotely, but information may have inadvertently been leaked via database access (e.g. backups, developer laptops that are compromised).

Cross Site Scripting: Exploitable from remote

The product classes feature did not properly sanitize output and was vulnerable to a cross site scripting attack. This vulnerability is mitigated by the fact that an attacker must have the "administer product classes" permission.

Arbitrary PHP Execution: Exploitable from remote

In Ubercart 6.x-2.x, arbitrary PHP code can be executed by users with the "administer conditional actions" permission. This vulnerability is mitigated by the fact that this permission should only granted to trusted users.

Versions affected
  • Ubercart 6.x-2.x versions prior to 6.x-2.8.
  • Ubercart 7.x-3.x versions prior to 7.x-3.1.

Drupal core is not affected. If you do not use the contributed Ubercart module, there is nothing you need to do.

Solution

Install the latest version:

Additionally, in Drupal 6.x, ensure that only trusted users have roles that have been granted the "administer conditional actions" permission.

Also see the Ubercart project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: security

SA-CONTRIB-2012-063 - RealName - Cross Site Scripting (XSS)

Wed, 04/25/2012 - 18:52
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-063
  • Project: RealName (third-party module)
  • Version: 6.x
  • Date: 2012-April-25
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

This module allows you to set a pattern for constructing "Real names" for users out of profile fields. The module does not sufficiently escape users' real names under certain circumstances which could lead to a Cross-Site Scripting (XSS) attack.

Versions affected
  • RealName 6.x-1.x versions prior to 6.x-1.5.
  • RealName 7.x-1.x versions are not vulnerable.

Drupal core is not affected. If you do not use the contributed RealName module, there is nothing you need to do.

Solution

Install the latest version:

Also see the RealName project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: security