|
Message-ID: <50711E17.7060502@redhat.com> Date: Sun, 07 Oct 2012 00:15:51 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Joshua Brauer <joshua@...uerranch.com> Subject: Re: CVE Request for Drupal Contributed Modules -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/04/2012 12:15 PM, Joshua Brauer wrote: > > This is a batch CVE request for several already published/resolved > issues with contributed modules for the Drupal project. Assigned most, need clarification on several issues. Top posting for ease of use. Please see below for questions. +CVE-2012-4482 Drupal SA-CONTRIB-2012-112 - Ubercart SecureTrading - Failure to follow guideline/specification +CVE-2012-4483 Drupal SA-CONTRIB-2012-113 - Drupal Commons - Access Bypass +CVE-2012-4484 Drupal SA-CONTRIB-2012-114 - Campaign Monitor - Cross Site Scripting (XSS) +CVE-2012-4485 Drupal SA-CONTRIB-2012-115 - Gallery formatter - Cross Site Scripting (XSS) +CVE-2012-4486 Drupal SA-CONTRIB-2012-116 - Subuser - Cross Site Request Forgery (CSRF) +CVE-2012-4487 Drupal SA-CONTRIB-2012-116 - Subuser - Access Bypass +CVE-2012-4488 Drupal SA-CONTRIB-2012-117 - Location - Access Bypass +CVE-2012-4489 Drupal SA-CONTRIB-2012-118 - Secure Login - Open Redirect +CVE-2012-4490 Drupal SA-CONTRIB-2012-119 - Excluded Users - Cross Site Scripting (XSS) +CVE-2012-4491 Drupal SA-CONTRIB-2012-120 - Monthly Archive by Node Type - Access Bypass +CVE-2012-4492 Drupal SA-CONTRIB-2012-121 - Shorten URLs - Cross Site Scripting (XSS) +CVE-2012-4493 Drupal SA-CONTRIB-2012-122 - Better Revisions - Cross Site Scripting (XSS) +CVE-2012-4494 Drupal SA-CONTRIB-2012-123 - Shibboleth authentication - - Access Bypass +CVE-2012-4495 Drupal SA-CONTRIB-2012-124 - Mime Mail - Access Bypass +CVE-2012-4496 Drupal SA-CONTRIB-2012-127 - Custom Publishing Options - - Cross Site Scripting (XSS) Vulnerability +CVE-2012-4497 Drupal SA-CONTRIB-2012-128 - Elegant Theme - Cross Site Scripting (XSS) +CVE-2012-4498 Drupal SA-CONTRIB-2012-129 - Activism - Access Bypass +CVE-2012-4499 Drupal SA-CONTRIB-2012-131 - Email Field - Access Bypass +CVE-2012-4500 Drupal SA-CONTRIB-2012-132 - Announcements - Access Bypass > http://drupal.org/node/1679820 | SA-CONTRIB-2012-112 - Ubercart > SecureTrading - Failure to follow guideline/specification > http://drupal.org/node/1679888 | SA-CONTRIB-2012-113 - Drupal > Commons - Access Bypass http://drupal.org/node/1691446 | > SA-CONTRIB-2012-114 - Campaign Monitor - Cross Site Scripting > (XSS) http://drupal.org/node/1700578 | SA-CONTRIB-2012-115 - > Gallery formatter - Cross Site Scripting (XSS) > > > Multiple Vulnerabilities: http://drupal.org/node/1700584 | > SA-CONTRIB-2012-116 - Subuser - Cross Site Request Forgery (CSRF) > http://drupal.org/node/1700584 | SA-CONTRIB-2012-116 - Subuser - > Access Bypass > > http://drupal.org/node/1700588 | SA-CONTRIB-2012-117 - Location - > Access Bypass http://drupal.org/node/1700594 | SA-CONTRIB-2012-118 > - Secure Login - Open Redirect http://drupal.org/node/1708058 | > SA-CONTRIB-2012-119 - Excluded Users - Cross Site Scripting (XSS) > http://drupal.org/node/1708198 | SA-CONTRIB-2012-120 - Monthly > Archive by Node Type - Access Bypass http://drupal.org/node/1719392 > | SA-CONTRIB-2012-121 - Shorten URLs - Cross Site Scripting (XSS) > http://drupal.org/node/1719402 | SA-CONTRIB-2012-122 - Better > Revisions - Cross Site Scripting (XSS) > http://drupal.org/node/1719462 | SA-CONTRIB-2012-123 - Shibboleth > authentication - Access Bypass http://drupal.org/node/1719482 | > SA-CONTRIB-2012-124 - Mime Mail - Access Bypass > > > > Multiple Vulnerabilities: http://drupal.org/node/1719548 | > SA-CONTRIB-2012-125 - Chaos tool suite (ctools) - Local File > Inclusion http://drupal.org/node/1719548 | SA-CONTRIB-2012-125 - > Chaos tool suite (ctools) - Cross Site Scripting (XSS) This sounds like a single issue with two possible outcomes? The module doesn't sufficiently validate css import statements to confirm they only include css content appropriate to show to end users. This could allow a malicious user to add sensitive content from the site (e.g. settings.php) exposing that sensitive content to visitors of the page. It could also be used to execute a Cross Site Scripting attack. Links to the code commits fixing this would be helpful. > http://drupal.org/node/1732946 | SA-CONTRIB-2012-126 - Hotblocks - > Cross Site Scripting (XSS) and Denial of Service (DoS) This is a multiple CVE issue? > http://drupal.org/node/1732980 | SA-CONTRIB-2012-127 - Custom > Publishing Options - Cross Site Scripting (XSS) Vulnerability > http://drupal.org/node/1733056 | SA-CONTRIB-2012-128 - Elegant > Theme - Cross Site Scripting (XSS) http://drupal.org/node/1762160 | > SA-CONTRIB-2012-129 - Activism - Access Bypass > > > > Multiple Vulnerabilities: http://drupal.org/node/1762220 | > SA-CONTRIB-2012-130 - Jstool - Access Bypass > http://drupal.org/node/1762220 | SA-CONTRIB-2012-130 - Jstool - > Arbitrary code inclusion The description/vulns don't seem to match up on this one. Can you clarify? The module does not protect its menu paths, which contain sensitive information about all javascript files on the site and their contents. The module does not validate filenames which can lead to potential read/write access to arbitrary files on the server. Links to the code commits fixing this would be helpful. > http://drupal.org/node/1762470 | SA-CONTRIB-2012-131 - Email Field > - Access Bypass http://drupal.org/node/1762480 | > SA-CONTRIB-2012-132 - Announcements - Access Bypass > http://drupal.org/node/1762482 | SA-CONTRIB-2012-133 - Taxonomy > Image - Cross Site Scripting (XSS) & Arbitrary PHP code execution So this is the same root issue, not filtering file uploads allowing an attacker to upload arbitrary stuff (including PHP code), the outcome of which could be PHP code execution, or XSS (or other things I suppose like DoS, CSRF, etc.)? > Thanks, Josh - on behalf of the Drupal security team. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQcR4XAAoJEBYNRVNeJnmTDe0P/iCLTgHkCF0Q5fg+6CW8c/uz 6PJBxD36OEitOC2wHMGEE7t3E95Nl/DfcKteUgByLUp7SJSAttGsVTLkeSIjFt3L nk0XFEbdGmrsBRs7WnmyiCQKMXL2TEOOXDoXpyB1VNshLIt02KIPOPgtx6/2iobI bmy51ycb0nn7+ENYYJ8VPG/QWq7vbXEzjVi/4gsZKmyu5zLyRnF0qwi90IIoh1zO o3NH3lLLkVU+TMRLd7oSvaoNjIgg9mcSaOon0H7bwdUmdT1PyJXL1aDq3teDI9+5 DhBoFyAy4m26FaxURryl4tbEbN1yKbC88MNxt/JTvrnvxNLAjAX+az1/CDnb02US luDNG30vuolI6zYqfOl1FZRIOtgZEBgJ41oTB6v/WQs0dKgiiZeSyxNMVWhlAmTc 0enbfC3rtzHU7N6HNdmuRhzrS9nInpNAJJr2Da0yPbDrP5WdCpSrmmi5zckpciAo OsqXefGKZqMOqvYEXAkbssAS/ACkv8WB++9jySPRc+ktK85t+mrwziuYIv9qGFTH u+CmX8y208Tlk3g8ptFY6DB2YFaAsiq7kRQaTf56VwhJvTpUZHYfR4DxMHVqToCi yX+55GRnIOngQwvOSbu6zIQ8Bpqd6iJHvKkUq4WM5r2XSPjRn5Uj3QyfKV/eHx4A SLMDKmKG4YtdCRTrFpob =gXGG -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.