Wednesday, December 17, 2008

[Security announcements] SA-2008-075 - Views - SQL Injection

------------SA-2008-075 - VIEWS - SQL INJECTION------------

* Advisory ID: DRUPAL-SA-2008-075

* Project: Views

* Versions: 6.x

* Date: 2008-December-16

* Security risk: Moderately critical

* Exploitable from: Remote

* Vulnerability: SQL injection

------------DESCRIPTION------------

The Views module provides a flexible method for Drupal site designers to
control how lists of content are presented.

When using an exposed filter on CCK [ http://drupal.org/project/cck ] text
fields with allowed values, Views does not filter the data correctly. This may
allow malicious users to conduct SQL injection [
http://en.wikipedia.org/wiki/SQL_injection ] attacks against the site.

------------VERSIONS AFFECTED------------

* Versions of Views for Drupal 6.x prior to 6.x-2.2

Drupal core is not affected. If you do not use the Views module, there is
nothing you need to do.

------------SOLUTION------------

Install the latest version.

* If you use Views for Drupal 6.x upgrade to 6.x-2.2 [
http://drupal.org/node/347831 ]

Also see the Views project page [ http://drupal.org/project/views ].

------------REPORTED BY------------

* Peter Fisera (goatvirus [ http://drupal.org/user/360900 ])

* Mariano D'Agostino (dagmar [ http://drupal.org/user/154086 ])

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ] and by selecting the security issues
category.

--
Unsubscribe from this newsletter: http://drupal.org/newsletter/confirm/remove/73ff60b93f11343t44

[Security announcements] SA-2008-074 - Services - Insecure signing

------------SA-2008-074 - SERVICES - INSECURE SIGNING------------

* Advisory ID: DRUPAL-SA-2008-074

* Project: Services (third-party module)

* Versions: 5.x and 6.x

* Security risk: Critical

* Exploitable from: Remote

* Vulnerability: Repeat attacks and impersonation

------------DESCRIPTION------------

Services is a module which provides an API for exposing Drupal functions. It
allows clients to remotely call methods on the server and return the requested
data for local processing.

The module doesn't sign enough of the information that passes through it and
uses an insecure hash for signing a part of the request, allowing for
impersonation attacks. In addition the validity of the request does not time out
and can therefore be used multiple times, allowing for repeat attacks.

------------VERSIONS AFFECTED------------

* Versions of Services for Drupal 5.x prior to 5.x-0.92

* Versions of Services for Drupal 6.x prior to 6.x-0.13

Drupal core is not affected. If you do not use the Services module, there is
nothing you need to do.

------------SOLUTION------------

Install the latest version.

* If you use Services for Drupal 5.x upgrade to Services 5.x-0.92 [
http://drupal.org/node/303265 ]

* If you use Services for Drupal 6.x upgrade to Services 6.x-0.13 [
http://drupal.org/node/304938 ]

Also see the Services project page [ http://drupal.org/project/services ].

------------REPORTED BY------------

* Steven Wittens (Steven [ http://drupal.org/user/10] ])

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ] and by selecting the security issues
category.

--
Unsubscribe from this newsletter: http://drupal.org/newsletter/confirm/remove/73ff60b93f11343t44

Wednesday, December 10, 2008

[Security announcements] SA-2008-073 - Drupal core - Multiple vulnerabilities

------------SA-2008-073 - DRUPAL CORE - MULTIPLE VULNERABILITIES------------

* Advisory ID: DRUPAL-SA-2008-073

* Project: Drupal core

* Versions: 5.x and 6.x

* Date: 2008-December-10

* Security risk: Moderately Critical

* Exploitable from: Remote

* Vulnerability: Multiple vulnerabilities

------------DESCRIPTION------------

Multiple vulnerabilities and weaknesses were discovered in Drupal.

CROSS SITE REQUEST FORGERY

The update system is vulnerable to Cross site request forgeries [
http://en.wikipedia.org/wiki/Csrf ]. Malicious users may cause the superuser
(user 1) to execute old updates that may damage the database.

CROSS SITE SCRIPTING

When an input format is deleted, not all existing content on a site is updated
to reflect this deletion. Such content is then displayed unfiltered. This may
lead to cross site scripting [ http://en.wikipedia.org/wiki/Cross-site_scripting
] attacks when harmful tags are no longer stripped from 'malicious' content that
was posted earlier.

------------VERSIONS AFFECTED------------

* Drupal 5.x before version 5.13

* Drupal 6.x before version 6.7

------------SOLUTION------------

Install the latest version:

* If you are running Drupal 5.x then upgrade to Drupal 5.13 [
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz ].

* If you are running Drupal 6.x then upgrade to Drupal 6.7 [
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz ].

Note: the robots.txt and .htaccess files have changed and need to be replaced.
The settings.php file has not been changed and can be left as it was if
upgrading from the current version of Drupal.

If you are unable to upgrade immediately, you can apply a patch to secure your
installation until you are able to do a proper upgrade. The patches fix security
vulnerabilities, but do not contain other fixes which were released in these
versions.

* To patch Drupal 5.12 use SA-2008-073-5.12.patch [
http://drupal.org/files/sa-2008-073/SA-2008-073-5.12.patch ].

* To patch Drupal 6.6 use SA-2008-073-6.6.patch [
http://drupal.org/files/sa-2008-073/SA-2008-073-6.6.patch ].

------------REPORTED BY------------

Both issues were reported by David Rothstein (David_Rothstein [
http://drupal.org/user/124982 ]).

------------CONTACT------------

The security team for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].

--
Unsubscribe from this newsletter: http://drupal.org/newsletter/confirm/remove/73ff60b93f11343t44

Wednesday, December 03, 2008

Fwd: [Security announcements] SA-2008-072 - Storm Project - SQL injection

------------SA-2008-072 - STORM PROJECT - SQL INJECTION------------

* Advisory ID: DRUPAL-SA-2008-072

* Project: Storm Project

* Versions: 5.x and 6.x

* Date: 2008-December-03

* Security risk: Moderately critical

* Exploitable from: Remote

* Vulnerability: SQL injection

------------DESCRIPTION------------

Storm (SpeedTech Organization and Resource Manager) is a project management
application for Drupal.

Unfortunately the Storm module allows users with access to the storm projects
to enter input values which are then used directly in SQL queries without being
sanitized, enabling SQL injection attacks [
http://en.wikipedia.org/wiki/SQL_injection ] by malicious users.

------------VERSIONS AFFECTED------------

* Versions of Storm for Drupal 5.x prior to 5.x-1.14

* Versions of Storm for Drupal 6.x prior to 6.x-1.18

Drupal core is not affected. If you do not use the Storm module, there is
nothing you need to do.

------------SOLUTION------------

Install the latest version.

* If you use Storm for Drupal 5.x upgrade to 5.x-1.14 [
http://drupal.org/node/342264 ]

* If you use Storm for Drupal 6.x upgrade to 6.x-1.18 [
http://drupal.org/node/342263 ]

Also see the Storm project page [ http://drupal.org/project/storm ].

------------REPORTED BY------------

Jakub Suchy (meba [ http://drupal.org/user/31977 ])

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ] and by selecting the security issues
category.



--


--
Us - http://www.thosedewolfes.com/
Me - http://mike.dewolfe.bc.ca/
Blog - http://mikedewolfe.blogspot.com/
Tech - http://technicalmike.blogspot.com/
Sites - http://www.prefabsite.net/ - have a website in MINUTES