[Security announcements] SA-CONTRIB-2009-002 - Project issue tracking - Multiple vulnerabilities


* Advisory ID: DRUPAL-SA-CONTRIB-2009-002

* Project: Project issue tracking (third-party module)

* Version: 5.x-2.x

* Date: 2009-January-07

* Security risk: Moderately critical

* Exploitable from: Remote

* Vulnerability: Node access bypass, Cross-site scripting (XSS)


This announcement covers the following two issues for the Project issue
tracking module [ http://drupal.org/project/project_issue ].

* Under certain conditions, users may receive email updates for issues which
they do not have proper access rights to. This issue is mainly a problem for
sites that use a contributed node access module, although it also affects issues
that have been unpublished.

* Malicious users with the "administer projects" permission are able to
inject arbitrary code when adding or editing issue status values. This is only
an issue if you need any role separation between administrators and users with
the "administer projects" permission.

Wikipedia has more information about cross site scripting [
http://en.wikipedia.org/wiki/Cross-site_scripting ] (XSS).


* Project issue tracking (project_issue) for Drupal 5.x prior to 5.x-2.3

Drupal core is not affected. If you do not use the contributed Project issue
tracking module, there is nothing you need to do.

---- SOLUTION ----

Install the latest version:

* Project issue tracking 5.x-2.3 [ http://drupal.org/node/355709 ]

See also the Project issue tracking project page [
http://drupal.org/project/project_issue ].

---- REPORTED BY ----

* The access bypass vulnerability was reported by Damien Tournoud [
http://drupal.org/user/22211 ] of the Drupal Security team [
http://drupal.org/security-team ].

* The cross site scripting vulnerability was reported by Derek Wright (dww [
http://drupal.org/user/46549 ]) of the Drupal Security team [
http://drupal.org/security-team ].

---- CONTACT ----

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].