oss-sec mailing list archives
Re: CVE Request for Drupal Contributed Modules
From: Kurt Seifried <kseifried () redhat com>
Date: Sun, 07 Oct 2012 00:15:51 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/04/2012 12:15 PM, Joshua Brauer wrote:
This is a batch CVE request for several already published/resolved issues with contributed modules for the Drupal project.
Assigned most, need clarification on several issues. Top posting for ease of use. Please see below for questions. +CVE-2012-4482 Drupal SA-CONTRIB-2012-112 - Ubercart SecureTrading - Failure to follow guideline/specification +CVE-2012-4483 Drupal SA-CONTRIB-2012-113 - Drupal Commons - Access Bypass +CVE-2012-4484 Drupal SA-CONTRIB-2012-114 - Campaign Monitor - Cross Site Scripting (XSS) +CVE-2012-4485 Drupal SA-CONTRIB-2012-115 - Gallery formatter - Cross Site Scripting (XSS) +CVE-2012-4486 Drupal SA-CONTRIB-2012-116 - Subuser - Cross Site Request Forgery (CSRF) +CVE-2012-4487 Drupal SA-CONTRIB-2012-116 - Subuser - Access Bypass +CVE-2012-4488 Drupal SA-CONTRIB-2012-117 - Location - Access Bypass +CVE-2012-4489 Drupal SA-CONTRIB-2012-118 - Secure Login - Open Redirect +CVE-2012-4490 Drupal SA-CONTRIB-2012-119 - Excluded Users - Cross Site Scripting (XSS) +CVE-2012-4491 Drupal SA-CONTRIB-2012-120 - Monthly Archive by Node Type - Access Bypass +CVE-2012-4492 Drupal SA-CONTRIB-2012-121 - Shorten URLs - Cross Site Scripting (XSS) +CVE-2012-4493 Drupal SA-CONTRIB-2012-122 - Better Revisions - Cross Site Scripting (XSS) +CVE-2012-4494 Drupal SA-CONTRIB-2012-123 - Shibboleth authentication - - Access Bypass +CVE-2012-4495 Drupal SA-CONTRIB-2012-124 - Mime Mail - Access Bypass +CVE-2012-4496 Drupal SA-CONTRIB-2012-127 - Custom Publishing Options - - Cross Site Scripting (XSS) Vulnerability +CVE-2012-4497 Drupal SA-CONTRIB-2012-128 - Elegant Theme - Cross Site Scripting (XSS) +CVE-2012-4498 Drupal SA-CONTRIB-2012-129 - Activism - Access Bypass +CVE-2012-4499 Drupal SA-CONTRIB-2012-131 - Email Field - Access Bypass +CVE-2012-4500 Drupal SA-CONTRIB-2012-132 - Announcements - Access Bypass
http://drupal.org/node/1679820 | SA-CONTRIB-2012-112 - Ubercart SecureTrading - Failure to follow guideline/specification http://drupal.org/node/1679888 | SA-CONTRIB-2012-113 - Drupal Commons - Access Bypass http://drupal.org/node/1691446 | SA-CONTRIB-2012-114 - Campaign Monitor - Cross Site Scripting (XSS) http://drupal.org/node/1700578 | SA-CONTRIB-2012-115 - Gallery formatter - Cross Site Scripting (XSS) Multiple Vulnerabilities: http://drupal.org/node/1700584 | SA-CONTRIB-2012-116 - Subuser - Cross Site Request Forgery (CSRF) http://drupal.org/node/1700584 | SA-CONTRIB-2012-116 - Subuser - Access Bypass http://drupal.org/node/1700588 | SA-CONTRIB-2012-117 - Location - Access Bypass http://drupal.org/node/1700594 | SA-CONTRIB-2012-118 - Secure Login - Open Redirect http://drupal.org/node/1708058 | SA-CONTRIB-2012-119 - Excluded Users - Cross Site Scripting (XSS) http://drupal.org/node/1708198 | SA-CONTRIB-2012-120 - Monthly Archive by Node Type - Access Bypass http://drupal.org/node/1719392 | SA-CONTRIB-2012-121 - Shorten URLs - Cross Site Scripting (XSS) http://drupal.org/node/1719402 | SA-CONTRIB-2012-122 - Better Revisions - Cross Site Scripting (XSS) http://drupal.org/node/1719462 | SA-CONTRIB-2012-123 - Shibboleth authentication - Access Bypass http://drupal.org/node/1719482 | SA-CONTRIB-2012-124 - Mime Mail - Access Bypass Multiple Vulnerabilities: http://drupal.org/node/1719548 | SA-CONTRIB-2012-125 - Chaos tool suite (ctools) - Local File Inclusion http://drupal.org/node/1719548 | SA-CONTRIB-2012-125 - Chaos tool suite (ctools) - Cross Site Scripting (XSS)
This sounds like a single issue with two possible outcomes? The module doesn't sufficiently validate css import statements to confirm they only include css content appropriate to show to end users. This could allow a malicious user to add sensitive content from the site (e.g. settings.php) exposing that sensitive content to visitors of the page. It could also be used to execute a Cross Site Scripting attack. Links to the code commits fixing this would be helpful.
http://drupal.org/node/1732946 | SA-CONTRIB-2012-126 - Hotblocks - Cross Site Scripting (XSS) and Denial of Service (DoS)
This is a multiple CVE issue?
http://drupal.org/node/1732980 | SA-CONTRIB-2012-127 - Custom Publishing Options - Cross Site Scripting (XSS) Vulnerability http://drupal.org/node/1733056 | SA-CONTRIB-2012-128 - Elegant Theme - Cross Site Scripting (XSS) http://drupal.org/node/1762160 | SA-CONTRIB-2012-129 - Activism - Access Bypass Multiple Vulnerabilities: http://drupal.org/node/1762220 | SA-CONTRIB-2012-130 - Jstool - Access Bypass http://drupal.org/node/1762220 | SA-CONTRIB-2012-130 - Jstool - Arbitrary code inclusion
The description/vulns don't seem to match up on this one. Can you clarify? The module does not protect its menu paths, which contain sensitive information about all javascript files on the site and their contents. The module does not validate filenames which can lead to potential read/write access to arbitrary files on the server. Links to the code commits fixing this would be helpful.
http://drupal.org/node/1762470 | SA-CONTRIB-2012-131 - Email Field - Access Bypass http://drupal.org/node/1762480 | SA-CONTRIB-2012-132 - Announcements - Access Bypass
http://drupal.org/node/1762482 | SA-CONTRIB-2012-133 - Taxonomy Image - Cross Site Scripting (XSS) & Arbitrary PHP code execution
So this is the same root issue, not filtering file uploads allowing an attacker to upload arbitrary stuff (including PHP code), the outcome of which could be PHP code execution, or XSS (or other things I suppose like DoS, CSRF, etc.)?
Thanks, Josh - on behalf of the Drupal security team.
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQcR4XAAoJEBYNRVNeJnmTDe0P/iCLTgHkCF0Q5fg+6CW8c/uz 6PJBxD36OEitOC2wHMGEE7t3E95Nl/DfcKteUgByLUp7SJSAttGsVTLkeSIjFt3L nk0XFEbdGmrsBRs7WnmyiCQKMXL2TEOOXDoXpyB1VNshLIt02KIPOPgtx6/2iobI bmy51ycb0nn7+ENYYJ8VPG/QWq7vbXEzjVi/4gsZKmyu5zLyRnF0qwi90IIoh1zO o3NH3lLLkVU+TMRLd7oSvaoNjIgg9mcSaOon0H7bwdUmdT1PyJXL1aDq3teDI9+5 DhBoFyAy4m26FaxURryl4tbEbN1yKbC88MNxt/JTvrnvxNLAjAX+az1/CDnb02US luDNG30vuolI6zYqfOl1FZRIOtgZEBgJ41oTB6v/WQs0dKgiiZeSyxNMVWhlAmTc 0enbfC3rtzHU7N6HNdmuRhzrS9nInpNAJJr2Da0yPbDrP5WdCpSrmmi5zckpciAo OsqXefGKZqMOqvYEXAkbssAS/ACkv8WB++9jySPRc+ktK85t+mrwziuYIv9qGFTH u+CmX8y208Tlk3g8ptFY6DB2YFaAsiq7kRQaTf56VwhJvTpUZHYfR4DxMHVqToCi yX+55GRnIOngQwvOSbu6zIQ8Bpqd6iJHvKkUq4WM5r2XSPjRn5Uj3QyfKV/eHx4A SLMDKmKG4YtdCRTrFpob =gXGG -----END PGP SIGNATURE-----
Current thread:
- CVE Request for Drupal Contributed Modules Joshua Brauer (Oct 03)
- Re: CVE Request for Drupal Contributed Modules Kurt Seifried (Oct 03)
- Re: CVE Request for Drupal Contributed Modules Joshua Brauer (Oct 03)
- Re: CVE Request for Drupal Contributed Modules Kurt Seifried (Oct 03)
- Re: CVE Request for Drupal Contributed Modules Joshua Brauer (Oct 03)
- <Possible follow-ups>
- CVE Request for Drupal Contributed Modules Joshua Brauer (Oct 04)
- Re: CVE Request for Drupal Contributed Modules Kurt Seifried (Oct 06)
- Re: CVE Request for Drupal Contributed Modules Steven M. Christey (Oct 31)
- Re: CVE Request for Drupal Contributed Modules Greg Knaddison (Nov 05)
- Re: CVE Request for Drupal Contributed Modules Kurt Seifried (Oct 06)
- Re: CVE Request for Drupal Contributed Modules Kurt Seifried (Oct 03)
- CVE Request for Drupal Contributed Modules Forest Monsen (Nov 17)
- Re: CVE Request for Drupal Contributed Modules Kurt Seifried (Nov 20)
- Re: CVE Request for Drupal Contributed Modules Forest Monsen (Nov 20)
- Re: CVE Request for Drupal Contributed Modules Kurt Seifried (Nov 25)
- Re: CVE Request for Drupal Contributed Modules Forest Monsen (Nov 26)
- Re: CVE Request for Drupal Contributed Modules Kurt Seifried (Nov 26)
- Re: CVE Request for Drupal Contributed Modules Kurt Seifried (Nov 20)
- Re: CVE request for Drupal contributed modules Kurt Seifried (Nov 28)