• Advisory ID: SA-2008-035
  • Project: Aggregation (third-party module)
  • Versions: 5.x
  • Date: 2008-June-11
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities

Description

The Aggregation module syndicates content from external feeds saving them as nodes. A significant amount of vulnerabilities were discovered in the module:

Cross site scripting - Numerous values are displayed without being properly escaped or filtered, which enables users to inject arbitrary HTML and script code on pages.

SQL Injection - Numerous values are used in SQL strings without being properly sanitized.

Arbitrary code execution - Maliciously constructed feeds can result in the upload of files with arbitrary extensions to the server. Whether this may lead to arbitrary code execution, depends on the exact server configuration.

Access bypass - Incorrect implementation of the access control results in access bypass when node access modules (taxonomy access control, acl) are used.

Versions affected

  • Aggregation for Drupal 5.x prior to Aggregation 5.x-4.4

Drupal core is not affected. If you do not use the contributed Aggregation module, there is nothing you need to do.

Solution

Install the latest version:

See also the Aggregation project page.

Reported by

The cross site scripting issue was publicly reported by fonan.
The other issues were identified by Adam Light (aclight) and Heine Deelstra (Heine) of the Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.