Drupal Security Contributed Module Updates

• Advisory ID: DRUPAL-SA-CONTRIB-2012-022
• Project: CDN (third-party module)
• Version: 6.x, 7.x
• Date: 2012-February-15
• Security risk: Critical
• Exploitable from: Remote
• Vulnerability: Access bypass

The CDN module provides easy Content Delivery Network integration for Drupal sites. It alters file URLs, so that files are downloaded from a CDN instead of your web server.

When running in Origin Pull mode together with the "Far Future expiration" option, the module contains a vulnerability that allows anyone to view the contents of any *.php file within the site, including settings.php.

This vulnerability is mitigated by the fact that the site owner must have enabled the "Far Future expiration" option, and must be using the latest version of the module.

• CDN version 6.x-2.2
• CDN version 7.x-2.2

Drupal core is not affected. If you do not use the contributed CDN module, there is nothing you need to do.

Install the latest version:

• Upgrade to CDN module 6.x-2.3
• Upgrade to CDN module 7.x-2.3

See also the CDN project page.

• Ivo Van Geertruyen of the Drupal Security Team

• Wim Leers the module maintainer
• Ivo Van Geertruyen of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-021
• Project: Organic Groups Vocabulary (third-party module)
• Version: 6.x
• Date: 2012-February-15
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Access bypass

This module enables you to have a specific vocabulary per organic group.
The module doesn't sufficiently check access to vocabularies while allowing a group admin to edit the vocabularies.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to "administer own group vocabulary" and be an admin of another group.

• OG Vocab 6.x-1.x versions prior to 6.x-1.2.

Drupal core is not affected. If you do not use the contributed OG Vocabulary module, there is nothing you need to do.

Install the latest version:

• If you use the OG Vocab module for Drupal 6.x, upgrade to OG Vocab 6.x-1.2

See also the OG Vocabulary project page.

• Chris Czeyka

• Amitai Burstein the module maintainer

• Greg Knaddison of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-020
• Project: Faster Permissions (third-party module)
• Version: 7.x
• Date: 2012-February-15
• Security risk: Highly critical
• Exploitable from: Remote
• Vulnerability: Access bypass

This module enables you to configure the permissions of a specific module on a separate page. This is especially handy for sites with a large list of permissions.

The module doesn't sufficiently check for the required permissions when the provided permission administration is displayed and therefore allows users without the required permissions to configure module permissions.

• Faster Permissions 7.x-2.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Faster Permissions module, there is nothing you need to do.

Install the latest version:

• If you use the Faster Permissions module for Drupal 7.x, upgrade to Faster Permissions 7.x-1.2

See also the Faster Permissions project page.

• Sascha Grossenbacher

• Sascha Grossenbacher
• Jason Savino the module maintainer.

• Greg Knaddison of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Edited to link to the 7.x-1.2 release instead of the mistaken 7.x-7.2 release. Both contain the same code, but 7.x-1.2 is more appropriate for Drupal's update mechanism.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-019
• Project: Link checker (third-party module)
• Version: 6.x
• Date: 2012-February-15
• Security risk: Less critical
• Exploitable from: Remote
• Vulnerability: Access bypass

The Link checker module extracts links from your site's content and periodically tries to detect broken links and report them so they can be fixed.

The module does not correctly check permission to access the site's content before displaying broken links that were found within it, leading to an access bypass vulnerability.

This vulnerability is mitigated by several factors: The site must have private content (for example, if a node access or CCK field access module is being used), and the Link checker module must be configured to display broken links to users who do not already have permission to bypass content access control. Also, only the URLs of the broken links are displayed, so this vulnerability is only serious if the content of those URLs is potentially sensitive (for example, if the URL contains a username and password or a secure token, or if it would reveal sensitive information about topics being discussed in the rest of the private content).

• Link checker 6.x-2.x versions prior to 6.x-2.5.

Drupal core is not affected. If you do not use the contributed Link checker module, there is nothing you need to do.

Install the latest version:

• If you use the Link checker module for Drupal 6.x, upgrade to Link checker 6.x-2.5.

See also the Link checker project page.

Various aspects of the access bypass vulnerability were reported by the following individuals:

• Ivo Van Geertruyen of the Drupal Security Team
• Dave Reid of the Drupal Security Team
• Alexander Hass, the module maintainer
• David Rothstein of the Drupal Security Team

• David Rothstein of the Drupal Security Team
• Alexander Hass, the module maintainer
• Ivo Van Geertruyen of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-018
• Project: Revisioning (third-party module)
• Version: 6.x
• Date: 2012-FEB-08
• Security risk: Less critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

The Drupal Revisioning module (https://drupal.org/project/revisioning) "is a module for the configuration of workflows to create, moderate and publish content revisions."
The Revisioning module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize tags before display.

Users with the ability to create content and tags that are submitted to a review queue could include malicious JavaScript or HTML as part of their tags. Users reviewing the queue would then become victims of the XSS attack.

The risk is mitigated by the fact that the attacker must have the ability to create taxonomy terms (either "administer taxonomy" or via a freetagging vocabulary).

• Revisioning 6.x-3.13 and prior.

Drupal core is not affected. If you do not use the contributed Revisioning module, there is nothing you need to do.

Install the latest version:

• Upgrade to Revisioning 6.x-3.14

See also the Revisioning project page.

• Justin C. Klein Keane

• Justin C. Klein Keane
• Rik de Boer, the module maintainer

• Dylan Tack of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-017
• Project: Finder (third-party module)
• Version: 6.x, 7.x
• Date: 2012-February-08
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting, Arbitrary PHP code execution, Multiple vulnerabilities

Finder is a Drupal module that allows users to create faceted search forms. The module's autocomplete, checkbox, and radio button functionalities previously did not sanitize the output of fields and raw database values.

In addition, users with the "administer finder" permission were able to execute arbitrary code through a PHP import interface; specific PHP execution permissions were not required.Updated: This issue affected only the 7.x branch of code. The 6.x branch used the permission "administer finder PHP settings" which is sufficiently clear that it allows execution of PHP code.

• Finder 6.x-1.x prior to 6.x-1.26
• Finder 7.x-1.x versions (all)
• Finder 7.x-2.x versions prior to 7.x-2.0-alpha8

Drupal core is not affected. If you do not use the contributed Finder module, there is nothing you need to do.

Install the latest version:

• If you use the Finder module for Drupal 6.x, upgrade to Finder 6.x-1.26.
• If you use the Finder module for Drupal 7.x, upgrade to Finder 7.x-2.0-alpha8.

See also the Finder project page.

• Justin C. Klein-Keane

• Daniel Braksator the module maintainer

• Greg Knaddison and Forest Monsen of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-016
• Project: Forward (third-party module)
• Version: 6.x, 7.x
• Date: 2012-February-01
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Access bypass, Cross Site Request Forgery

The Forward module enables you to add a "forward this page" link to each node. The link takes regular site visitors to a form where they can generate an email to a friend. The module exhibits multiple vulnerabilities as described below.

The module includes "Recent forwards" and "Most forwarded" blocks that display the titles of the most recently forwarded nodes and the nodes forwarded the most for all time. The module doesn't check that site visitors have permissions to view the node titles listed in these blocks, resulting in an access bypass. This vulnerability is mitigated by the fact that these blocks are disabled by default.

The module includes a "Dynamic Block" feature which adds a listing of the top 5 node titles to the bottom of the generated email to a friend. The module doesn't sufficiently check that the email recipient has permission to view the node titles included in the block, resulting in an access bypass. This vulnerability is mitigated by the fact that the Dynamic Block feature is disabled by default.

The module includes clickthrough tracking so that the site administrator can determine which emails are generating the most clicks back to the site. The tracking code is vulnerable to CSRF because it uses a publicly available link that could be manipulated to falsely boost the perceived importance of a node.

• Forward 6.x-1.x versions prior to 6.x-1.21
• Forward 7.x-1.x versions prior to 7.x-1.3

Drupal core is not affected. If you do not use the contributed Forward module, there is nothing you need to do.

Install the latest version:

• If you use the Forward module for Drupal 6.x, upgrade to Forward 6.x-1.21
• If you use the Forward module for Drupal 7.x, upgrade to Forward 7.x-1.3

The upgrade is "code only" and does not require running the database update script.

IMPORTANT: Administrators of sites that rely on the Dynamic Block access bypass to operate correctly need to visit the Forward configuration page and explicitly select the Dynamic Block Access Control bypass option after upgrading. This should be rare, so most site administrators can simply upgrade the module without the need for additional configuration.

See also the Forward project page.

• Greg Knaddison (greggles) of the Drupal Security Team

• John Oltman the module maintainer

• Greg Knaddison (greggles) of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-015
• Project: Managesite (third-party module)
• Version: 6.x
• Date: 2012-January-25
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

This module provides a way to build a control panel similar to the one provided by Drupal 7 on the admin zone (/admin). The module doesn't sufficiently filter user supplied text in the administration settings. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer managesite".

• Managesite 6.x-1.x versions prior to 6.x-1.1.

Drupal core is not affected. If you do not use the contributed Managesite module, there is nothing you need to do.

Install the latest version:

• If you use the Managesite module for Drupal 6.x, upgrade to Managesite 6.x-1.1

See also the Managesite project page.

• Justin Klein Keane

• jacinto capote robles the module maintainer

• Greg Knaddison of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-014
• Project: Drupal Commerce (third-party module)
• Version: 7.x
• Date: 2012-January-25
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

Drupal Commerce is a flexible eCommerce framework built on Drupal 7 that lets you construct any type of eCommerce website. Part of its flexibility lies in its ability to render product fields into node displays through the product reference field used to build dynamic Add to Cart forms. In Drupal Commerce 1.1 this feature was expanded to also incorporate the "extra fields" of products, i.e. the product title and SKU.

The theme functions used to render product titles and SKUs prints those variables to the page without properly sanitizing them first. A user with the proper permissions could create a product that ends up in a node display where a malicious title or SKU is rendered.

This vulnerability is mitigated by the fact that the attacker must have a role with a product creation permission, and since Drupal Commerce 1.1, the site must have been updated to make use of these extra fields in product display nodes as they default to being hidden on all product displays.

• Drupal Commerce version 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Drupal Commerce module, there is nothing you need to do.

Install the latest version:

• If you use Drupal Commerce 7.x-1.1, upgrade to Drupal Commerce 7.x-1.2

See also the Drupal Commerce project page.

• Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team

• Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team
• Ryan Szrama (rszrama) the module maintainer

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-013
• Project: Search Autocomplete (third-party module)
• Version: 7.x
• Date: 2012-January-25
• Security risk: Critical
• Exploitable from: Remote
• Vulnerability: SQL Injection

The Search Autocomplete module allows you to add autocomplete functionality to the search fields of a Drupal site.

Search Autocomplete does not properly use Drupal's database API, making it possible for a malicious user to carryout SQL injection on the site. This vulnerability is mitigated by the fact that users must have a role with permission "use search_autocomplete" to exploit.

• Search Autocomplete versions prior to 7.x-2.1.

Drupal core is not affected. If you do not use the contributed Search Autocomplete module, there is nothing you need to do.

Install the latest version:

• If you use the Search Autocomplete module for Drupal 7.x, upgrade to Search Autocomplete 7.x-2.1

See the Search Autocomplete project page for more information.

• Miguel Hermo (serans)

• Dominique Clause (Miroslav Talenberg) the module maintainer
• Miguel Hermo (serans)

• Ben Jeavons of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-012
• Project: Quick Tabs (third-party module)
• Version: 6.x, 7.x
• Date: 2012-January-18
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

The Quick Tabs module allows users to create blocks of tabbed content, specifying a title for the block and the individual tabs.
Quick Tabs does not do sufficient filtering of user supplied text which presents a cross site scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a user account with a role permitted to create or edit a Quicktabs instance.

• Quicktabs 6.x-2.x versions prior to 6.x-2.1.
• Quicktabs 6.x-3.x versions prior to 6.x-3.1.
• Quicktabs 7.x-3.x versions prior to 7.x-3.3.

Drupal core is not affected. If you do not use the contributed Quick Tabs module, there is nothing you need to do.

Install the latest version:

• If you use the Quicktabs 2.x module for Drupal 6.x, upgrade to Quicktabs 6.x-2.1
• If you use the Quicktabs 3.x module for Drupal 6.x, upgrade to Quicktabs 6.x-3.1
• If you use the Quicktabs 3.x module for Drupal 7.x, upgrade to Quicktabs 7.x-3.3

See also the Quick Tabs project page.

• Owen Barton of the Drupal Security Team
• Michael Smith

• Katherine Bailey the module maintainer
• Michael Smith

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-011
• Project: Panels (third-party module)
• Version: 6.x
• Date: 2012-January-18
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

The Panels module allows a site administrator to create customized layouts for multiple uses.
The module doesn't sufficiently sanitize administrator supplied data.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer panel layouts".

• Panels 6.x-2.x versions prior to 6.x-3.10.

Drupal core is not affected. If you do not use the contributed Panels module, there is nothing you need to do.

Install the latest version:

• If you use the Panels module for Drupal 6.x, upgrade to Panels 6.x-3.10

See also the Panels project page.

• Justin Klein Keane

• Justin Klein Keane
• Earl Miles the module maintainer

• Greg Knaddison of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-010
• Project: stickynote (third-party module)
• Version: 7.x
• Date: 2012-January-17
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting, Cross Site Request Forgery

This module enables you to add textual notes in a block to perform quality assurance of your site.
Previously it did not sufficiently protect against Cross Site Scripting (XSS) or Cross Site Request Forgery (CSRF).
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "delete stickynotes" or "edit stickynotes".

• Stickynote 7.x-1.x versions prior to 7.x-1.1

Drupal core is not affected. If you do not use the contributed stickynote module, there is nothing you need to do.

Install the latest version:

• If you use Stickynote version 7.x-1.x download 7.x-1.1.

See also the stickynote project page.

• Greg Knaddison of the Drupal Security Team

• Luke Herrington the module maintainer

• Greg Knaddison of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-009
• Project: Revisioning (third-party module)
• Version: 7.x
• Date: 2012-January-18
• Security risk: Less critical
• Exploitable from: Remote
• Vulnerability: Access bypass

This module enables you to create moderation publication workflows, allowing authors to create content that isn't visible to the public until it has been approved by a moderator/publisher.

The module's implementation of hook_node_access() assumes that access is to granted/denied based on the logged-in user's permissions. However, the hook may be invoked in contexts whereby the access grants are to be returned for a particular account passed into the hook. This could result in an access bypass vulnerability if node_access() is called for a specific user account.

This vulnerability happens when using the XML sitemap module which as a result will disclose the URLs of un-accessible or unpublished content to anonymous users. The actual content itself is not disclosed.

• Revisioning 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Revisioning module, there is nothing you need to do.

Install the latest version:

• If you use the Revisioning module for Drupal 7.x, upgrade to Revisioning 7.x-1.3.

See also the Revisioning project page.

• Dave Reid, Drupal Security Team member
• Adam Bramley

• Dave Reid, Drupal Security Team member
• Rik de Boer, module maintainer

• Dave Reid, Drupal Security Team member

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-008
• Project: Video Filter (third-party module)
• Version: 6.x, 7.x
• Date: 2012-JANUARY-11
• Security risk: Less critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

The Video Filter module lets you display videos from various third party sources. When videos from Blip.tv are shown, the module fails to sanitize source data before display.

This vulnerability is mitigated by the fact that the attacker has to be able to either control the source of third party data (such as via DNS hijack) or manipulate it in transit.

• Video Filter 6.x-2.x and 6.x-3.x versions prior to 6.x-3.0.
• Video Filter 7.x-2.x and 7.x-3.x versions prior to 7.x-3.0.

Drupal core is not affected. If you do not use the contributed Video Filter module, there is nothing you need to do.

Install the latest version:

• If you use the Video Filter module for Drupal 6.x, upgrade to Video Filter 6.x-3.0
• If you use the Video Filter module for Drupal 7.x, upgrade to Video Filter 7.x-3.0

See also the Video Filter project page.

• Justin Klein Keane

• Justin Klein Keane
• Hans Nilsson, module maintainer

• Dave Reid, Drupal Security Team member

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-007
• Project: Password policy (third-party module)
• Version: 6.x
• Date: 2012-January-11
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting, Cross Site Request Forgery

This module enables you to specify a certain level of password complexity (aka. "password hardening") for user passwords on a system by defining a policy.

Unblocking a user does not require sufficient confirmation by administrative users and can be exploited with a specially crafted URL.

The module doesn't sufficiently sanitize the name of password policies. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer policies".

This issue also affects the 7.x branch which is only in beta release. Users of non-stable releases are encouraged to upgrade frequently as those releases are not covered by the Drupal Security Team policy.

• Password Policy 6.x-1.x versions prior to 6.x-1.4.

Drupal core is not affected. If you do not use the contributed Password policy module, there is nothing you need to do.

Install the latest version:

• If you use the Password Policy module for Drupal 6.x, upgrade to Password Policy 6.x-1.4.

Clear the site's cache:
visit Administer > Site Configuration > Performance and click "Clear cached data."

See also the Password policy project page.

• Greg Knaddison of the Drupal Security Team

• Erik Webb the module co-maintainer

• Greg Knaddison of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-006
• Projects: SuperCron, Taxotouch, Taxonomy Navigator, Admin:hover (third-party modules)
• Version: 6.x, 7.x
• Date: 2012-January-11
• Security risk: Critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting, Cross Site Request Forgery

SuperCron is a complete replacement for Drupal's built-in Cron functionality. The module is vulnerable to Cross Site Scripting. The vulnerability is mitigated by an attacker needing to gain an account with "access administration pages" permission.

Taxotouch helps you navigate taxonomy. The module is vulnerable to Cross Site Scripting. The vulnerability is mitigated by an attacker needing to gain an account with the ability to create a vocabulary or taxonomy terms.

Taxonomy Navigatorshows terms from a vocabulary. The module is vulnerable to Cross Site Scripting. The vulnerability is mitigated by an attacker needing to gain an account with the ability to create a vocabulary or taxonomy terms.

Admin:hover allows admins to easily publish/unpublish nodes. The module is vulnerable to Cross Site Request Forgeries which would allow an attacker to trick an admin into executing enabled actions such as unpublishing all nodes.

All versions of all four modules are affected by vulnerabilities.

Drupal core is not affected. If you do not use one of the contributed modules listed above, there is nothing you need to do.

Users of these modules are encouraged to disable the modules and search for similar alternatives. Users of the module who wish to take over maintainership should post patches to the issue queue to fix the security issues and request maintenance following the Abandoned project process

• The Supercron issue was prematurely disclosed publicly outside of the security issue reporting process
• Admin:hover issue reported by Ivo Van Geertruyen of the Drupal Security Team
• Taxotouch issue reported by Dylan Tack of the Drupal Security Team
• Taxonomy Navigator issue reported by Dylan Tack of the Drupal Security Team

No fixes created.

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-005
• Project: Vote Up/Down (third-party module)
• Version: 6.x
• Date: 2012-January-11
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

This module enables you to add voting widgets to nodes, terms and comments.
The vud_term sub-module doesn't sufficiently sanitize taxonomy terms before display.
In order to execute arbitrary script injection malicious users must have the ability to create or edit taxonomy terms.

• Vote up/down 6.x-2.x versions prior to 6.x-2.8.
• Vote up/down 6.x-3.x versions prior to 6.x-3.1.

Drupal core is not affected. If you do not use the contributed Vote Up/Down module, there is nothing you need to do.

Install the latest version:

• If you use a 6.x-2.x version of Vote up/down module for Drupal 6.x, upgrade to Vote up/down 6.x-2.8.
• If you use a 6.x-3.x version of Vote up/down module for Drupal 6.x, upgrade to Vote up/down 6.x-3.1.

See also the Vote Up/Down project page.

• Justin C. Klein Keane

• Marco Villegas the module maintainer
• Greg Knaddison of the Drupal Security Team

• Greg Knaddison, Drupal security team member

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-004
• Project: Date (third-party module)
• Version: 6.x
• Date: 2012-January-11
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: SQL Injection

This module enables you to add and administer date fields to nodes. It includes Date Tools, that allows users to convert nodes created with the Event module into Date fields. The conversion form for Events is vulnerable to SQL injection.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer Date Tools", and the option is only available on sites which have used the Event module in the past and have the Event table in the database.

• Date 6.x-2.x versions prior to 6.x-2.8.

Drupal core is not affected. If you do not use the contributed Date module, there is nothing you need to do.

Install the latest version:

• If you use the Date module for Drupal 6.x, upgrade to Date 6.x-2.8

See also the Date project page.

• Greg Knaddison, Drupal security team member

• Karen Stevenson, the module maintainer

• Michael Hess, Drupal security team member

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-003
• Project: Fill PDF (third-party module)
• Version: 6.x, 7.x
• Date: 2012-JANUARY-04
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Access bypass, Arbitrary code execution

This module enables you to populate fillable PDF templates with data from nodes and webforms.

Incorrectly-ordered arguments in a call to the function that handles the main functionality of the module makes it possible for an attacker to trigger any PDF to be filled, regardless of whether they have access to the node/webform or not, by passing an appropriately-formed query string argument.

This vulnerability is mitigated by the fact that an attacker can only access configured PDF templates, that the attacker must know (or brute-force) the node or webform IDs, and that only information that is configured to be filled into the PDFs (and the filled PDF templates themselves) can be obtained through this exploit.

The template importing and exporting used serialized PHP which required the use of an unsafe PHP function to evaluate and import templates, which could lead to execution of unwanted and untrusted code. This vulnerability is mitigated by the fact that the attacker must have the 'administer PDFs' permission.

• Fill PDF 6.x-1.x versions prior to 6.x-1.16.
• Fill PDF 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Fill PDF module, there is nothing you need to do.

Install the latest version:

• If you use the Fill PDF module for Drupal 6.x, upgrade to Fill PDF 6.x-1.16.
• If you use the Fill PDF module for Drupal 7.x, upgrade to Fill PDF 7.x-1.2.

See also the Fill PDF project page.

• Access bypass reported by Christian Johansson
• Arbitrary code execution reported by Liam Morland

• Kevin Kaland (wizonesolutions), module maintainer
• Arbitrary code execution fixed by Liam Morland

• Dave Reid, Drupal Security team member

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.