Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 07 Oct 2012 00:15:51 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Joshua Brauer <joshua@...uerranch.com>
Subject: Re: CVE Request for Drupal Contributed Modules

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/04/2012 12:15 PM, Joshua Brauer wrote:
> 
> This is a batch CVE request for several already published/resolved
> issues with contributed modules for the Drupal project.

Assigned most, need clarification on several issues. Top posting for
ease of use. Please see below for questions.

+CVE-2012-4482 Drupal SA-CONTRIB-2012-112 - Ubercart SecureTrading -
Failure to follow guideline/specification
+CVE-2012-4483 Drupal SA-CONTRIB-2012-113 - Drupal Commons - Access Bypass
+CVE-2012-4484 Drupal SA-CONTRIB-2012-114 - Campaign Monitor - Cross
Site Scripting (XSS)
+CVE-2012-4485 Drupal SA-CONTRIB-2012-115 - Gallery formatter - Cross
Site Scripting (XSS)
+CVE-2012-4486 Drupal SA-CONTRIB-2012-116 - Subuser - Cross Site
Request Forgery (CSRF)
+CVE-2012-4487 Drupal SA-CONTRIB-2012-116 - Subuser - Access Bypass
+CVE-2012-4488 Drupal SA-CONTRIB-2012-117 - Location - Access Bypass
+CVE-2012-4489 Drupal SA-CONTRIB-2012-118 - Secure Login - Open Redirect
+CVE-2012-4490 Drupal SA-CONTRIB-2012-119 - Excluded Users - Cross
Site Scripting (XSS)
+CVE-2012-4491 Drupal SA-CONTRIB-2012-120 - Monthly Archive by Node
Type - Access Bypass
+CVE-2012-4492 Drupal SA-CONTRIB-2012-121 - Shorten URLs - Cross Site
Scripting (XSS)
+CVE-2012-4493 Drupal SA-CONTRIB-2012-122 - Better Revisions - Cross
Site Scripting (XSS)
+CVE-2012-4494 Drupal SA-CONTRIB-2012-123 - Shibboleth authentication
- - Access Bypass
+CVE-2012-4495 Drupal SA-CONTRIB-2012-124 - Mime Mail - Access Bypass
+CVE-2012-4496 Drupal SA-CONTRIB-2012-127 - Custom Publishing Options
- - Cross Site Scripting (XSS) Vulnerability
+CVE-2012-4497 Drupal SA-CONTRIB-2012-128 - Elegant Theme - Cross Site
Scripting (XSS)
+CVE-2012-4498 Drupal SA-CONTRIB-2012-129 - Activism - Access Bypass
+CVE-2012-4499 Drupal SA-CONTRIB-2012-131 - Email Field - Access Bypass
+CVE-2012-4500 Drupal SA-CONTRIB-2012-132 - Announcements - Access Bypass

> http://drupal.org/node/1679820 | SA-CONTRIB-2012-112 - Ubercart
> SecureTrading - Failure to follow guideline/specification 
> http://drupal.org/node/1679888 | SA-CONTRIB-2012-113 - Drupal
> Commons - Access Bypass http://drupal.org/node/1691446 |
> SA-CONTRIB-2012-114 - Campaign Monitor - Cross Site Scripting
> (XSS) http://drupal.org/node/1700578 | SA-CONTRIB-2012-115 -
> Gallery formatter - Cross Site Scripting (XSS)
> 
> 
> Multiple Vulnerabilities: http://drupal.org/node/1700584 |
> SA-CONTRIB-2012-116 - Subuser - Cross Site Request Forgery (CSRF) 
> http://drupal.org/node/1700584 | SA-CONTRIB-2012-116 - Subuser -
> Access Bypass
> 
> http://drupal.org/node/1700588 | SA-CONTRIB-2012-117 - Location -
> Access Bypass http://drupal.org/node/1700594 | SA-CONTRIB-2012-118
> - Secure Login - Open Redirect http://drupal.org/node/1708058 |
> SA-CONTRIB-2012-119 - Excluded Users - Cross Site Scripting (XSS) 
> http://drupal.org/node/1708198 | SA-CONTRIB-2012-120 - Monthly
> Archive by Node Type - Access Bypass http://drupal.org/node/1719392
> | SA-CONTRIB-2012-121 - Shorten URLs - Cross Site Scripting (XSS) 
> http://drupal.org/node/1719402 | SA-CONTRIB-2012-122 - Better
> Revisions - Cross Site Scripting (XSS) 
> http://drupal.org/node/1719462 | SA-CONTRIB-2012-123 - Shibboleth
> authentication - Access Bypass http://drupal.org/node/1719482 |
> SA-CONTRIB-2012-124 - Mime Mail - Access Bypass
> 
> 
> 
> Multiple Vulnerabilities: http://drupal.org/node/1719548 |
> SA-CONTRIB-2012-125 - Chaos tool suite (ctools) - Local File
> Inclusion http://drupal.org/node/1719548 | SA-CONTRIB-2012-125 -
> Chaos tool suite (ctools) - Cross Site Scripting (XSS)

This sounds like a single issue with two possible outcomes?

The module doesn't sufficiently validate css import statements to
confirm they only include css content appropriate to show to end
users. This could allow a malicious user to add sensitive content from
the site (e.g. settings.php) exposing that sensitive content to
visitors of the page. It could also be used to execute a Cross Site
Scripting attack.

Links to the code commits fixing this would be helpful.

> http://drupal.org/node/1732946 | SA-CONTRIB-2012-126 - Hotblocks -
> Cross Site Scripting (XSS) and Denial of Service (DoS)

This is a multiple CVE issue?

> http://drupal.org/node/1732980 | SA-CONTRIB-2012-127 - Custom
> Publishing Options - Cross Site Scripting (XSS) Vulnerability 
> http://drupal.org/node/1733056 | SA-CONTRIB-2012-128 - Elegant
> Theme - Cross Site Scripting (XSS) http://drupal.org/node/1762160 |
> SA-CONTRIB-2012-129 - Activism - Access Bypass
> 
> 
> 
> Multiple Vulnerabilities: http://drupal.org/node/1762220 |
> SA-CONTRIB-2012-130 - Jstool - Access Bypass 
> http://drupal.org/node/1762220 | SA-CONTRIB-2012-130 - Jstool -
> Arbitrary code inclusion

The description/vulns don't seem to match up on this one. Can you clarify?

The module does not protect its menu paths, which contain sensitive
information about all javascript files on the site and their contents.
The module does not validate filenames which can lead to potential
read/write access to arbitrary files on the server.

Links to the code commits fixing this would be helpful.

> http://drupal.org/node/1762470 | SA-CONTRIB-2012-131 - Email Field
> - Access Bypass http://drupal.org/node/1762480 |
> SA-CONTRIB-2012-132 - Announcements - Access Bypass


> http://drupal.org/node/1762482 | SA-CONTRIB-2012-133 - Taxonomy
> Image - Cross Site Scripting (XSS) & Arbitrary PHP code execution
So this is the same root issue, not filtering file uploads allowing an
attacker to upload arbitrary stuff (including PHP code), the outcome
of which could be PHP code execution, or XSS (or other things I
suppose like DoS, CSRF, etc.)?


> Thanks, Josh - on behalf of the Drupal security team.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQcR4XAAoJEBYNRVNeJnmTDe0P/iCLTgHkCF0Q5fg+6CW8c/uz
6PJBxD36OEitOC2wHMGEE7t3E95Nl/DfcKteUgByLUp7SJSAttGsVTLkeSIjFt3L
nk0XFEbdGmrsBRs7WnmyiCQKMXL2TEOOXDoXpyB1VNshLIt02KIPOPgtx6/2iobI
bmy51ycb0nn7+ENYYJ8VPG/QWq7vbXEzjVi/4gsZKmyu5zLyRnF0qwi90IIoh1zO
o3NH3lLLkVU+TMRLd7oSvaoNjIgg9mcSaOon0H7bwdUmdT1PyJXL1aDq3teDI9+5
DhBoFyAy4m26FaxURryl4tbEbN1yKbC88MNxt/JTvrnvxNLAjAX+az1/CDnb02US
luDNG30vuolI6zYqfOl1FZRIOtgZEBgJ41oTB6v/WQs0dKgiiZeSyxNMVWhlAmTc
0enbfC3rtzHU7N6HNdmuRhzrS9nInpNAJJr2Da0yPbDrP5WdCpSrmmi5zckpciAo
OsqXefGKZqMOqvYEXAkbssAS/ACkv8WB++9jySPRc+ktK85t+mrwziuYIv9qGFTH
u+CmX8y208Tlk3g8ptFY6DB2YFaAsiq7kRQaTf56VwhJvTpUZHYfR4DxMHVqToCi
yX+55GRnIOngQwvOSbu6zIQ8Bpqd6iJHvKkUq4WM5r2XSPjRn5Uj3QyfKV/eHx4A
SLMDKmKG4YtdCRTrFpob
=gXGG
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.