HomeBlogsDave Keays's blog

Security Announcements for October 2008

Thu, 10/09/2008 - 19:28 — Dave Keays

October 2008 has not been a kind month for Drupal. In addition to a 3rd party module needing to be updated, there have been modules banned because of multiple vulnerabilities, many problems with people updating modules wrong in Drupal 6, and several problems with the core that requires the Drupal core to be updated itself.

I do want to mention that how secure a system is isn't measured by how many security announcements or vulnerabilities are found. There are also issues of how long does it take to fix them, and whether or not they are finding them before they are found in the wild.

Drupal has excellent security in this sense. We have to thank both the security team and community members who contribute to the team for this fast pro-active approach to security.

  • SA-2008-068 - Localization

    There is a Cross-Site-Request-Forgery for Drupal 5.x prior to 5.x-1.1 and Drupal 6.x prior to 6.x-1.6 that allows modifications to be made to translated strings and suggestion submissions.

  • SA-2008-067 - core 5.11 and 6.6

    Files outside of the root directory can be manipulated and a Cross-Site-Scripting error exists. A Files outside the root directory can be manipulated on an IP-based virtual host. The book system is vulnerable to XSS when the "create book content" permission or the permission to edit any node in the book hierarchy is used.

  • SA-2008-066 - Shindig-Integrator

    has multiple vulnerabilities and should be removed removed from your site

  • SA-2008-065 - Node Clone

    access restrictions bypassed when 'clone node' perm used

  • SA-2008-064 - Node Vote

    open to SQL injection when "Allow user to vote again" set

  • SA-2008-063 - MULTIPLE MODULES - ACCESS BYPASS

    There is an access bypass in several modules due to incorrect updating the menu system in Drupal 6. This allows underprivileged users to access content they should be prohibited from, post dangerous content, and use administrative functions.

    modules affected
    • Live before version 6.x-1.0
    • AJAX Picture Preview before version 6.x-1.2
    • Admin:hover (in development) before 2008-Oct-08
    • Banner Rotor Module before version 6.x-1.3
    • Creative Commons Lite before version 6.x-1.1
    • Keyboard shortcut utiilty before version 6.x-1.1
    • LiveJournal CrossPoster before version 6.x-1.4
    • Taxonomy import/export via XML before version 6.x-1.2
    • User Referral development module before 2008-Oct-08
  • SA-2008-062 - SIOC (Semantically-Interconneted Online Communities) Versions affected for Drupal 5.x prior to 5.x-1.2 Versions affected for Drupal 6.x prior to 6.x-1.1

    The module doesn't implement Drupal's menu and database APIs correctly, allowing unprivileged users to view comments, hashed emails, usernames and roles which they might otherwise not have access to.

  • SA-2008-061 - EVERYBLOG - MULTIPLE VULNERABILITIES (including SQL injection, Cross-site scripting (XSS), Privilege escalation, access bypass)

    The module does not follow Drupal best practices for database queries and handling of user submitted data, leading to a number of vulnerabilities. One example is that an unprivileged user may become logged in to the account of an existing user, including an administrator.

    All versions of Everyblog are affected. The Drupal security team suggests you remove all versions of this module from your site. This module has been removed from Drupal.org.

  • SA-2008-060 - DRUPAL CORE - MULTIPLE VULNERABILITIES

    Several deficiencies were found in Drupal core modules and functions. Those functions include: upload, access rules, BlogAPI, node module.

    In Drupal 5, Node module (hook_nodeapi) can let users look at files attached to content which they do not otherwise have access to.

    A logic error in the Drupal 6 upload module validation allows unprivileged users to attach files to content.

    Both 5 and 6 suffer from several security related problems including:

    • Access Rules can allow users to log-on even when they have been blocked.
    • The Blog API allows users to enter dangerous content.
    • Users may bypass node validation before version 5.11 and 6.5
  • SA-2008-059 - BRILLIANT GALLERY

    Brilliant Gallery for Drupal 5.x prior to 5.x-4.2 has an SQL injection
    also see: DRUPAL-SA-2008-058 (9-24)

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
  • Web page addresses and e-mail addresses turn into links automatically.
  • You may use [inline:xx] tags to display uploaded files or images inline.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.