SA-CONTRIB-2012-154 - Basic webmail - Multiple vulnerabilities

• Advisory ID: DRUPAL-SA-CONTRIB-2012-154
• Project: Basic webmail (third-party module)
• Version: 6.x
• Date: 2012-October-10
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting, Information Disclosure, Multiple vulnerabilities

Description

This module allows site users to read and write e-mail through an IMAP mail server.

There are four issues being addressed by this security advisory:

• The module doesn't sufficiently sanitize data when setting page title.
• The module may store Drupal login IDs and passwords in plain text in the data column of the users table.
• The module doesn't sufficiently sanitize data displayed from email messages.
• The module allows users who have the 'access basic_webmail' permission to view the e-mail address of other site users.

CVE identifier(s) issued

• XSS: CVE-2012-5569
• Information disclosure: CVE-2012-5570

Versions affected

• Basic webmail 6.x-1.x versions prior to 6.x-1.2.

Drupal core is not affected. If you do not use the contributed Basic webmail module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Basic webmail module for Drupal 6.x, upgrade to Basic webmail 6.x-1.2

Also see the Basic webmail project page.

Reported by

• Hunter Fox provisional member of the Drupal Security Team

Fixed by

• Jason Flatt the module maintainer
• Hunter Fox provisional member of the Drupal Security Team

Coordinated by

• Hunter Fox provisional member of the Drupal Security Team
• Ben Jeavons of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.