SA-CONTRIB-2009-084 - LDAP Integration - Multiple Vulnerabilities

By Drupal Security Team on 28 Oct 2009 at 20:57 UTC

Advisory ID: DRUPAL-SA-CONTRIB-2009-084
Project: LDAP Integration (third-party module)
Version: 6.x, 5.x
Date: 2009-October-28
Security risk: Critical
Exploitable from: Remote
Vulnerability: Multiple vulnerabilities

Description

The LDAP Integration module enables users to authenticate against LDAP servers.

The module does not properly implement confirmation pages for the LDAP server activation/deactivation which could lead to a Cross Site Request Forgery (CSRF) attack. The user defined server name is not properly escaped on the administration pages making it vulnerable to a cross site scripting (XSS) attack.
User LDAP data can be viewed by un-authorized users, as it is not properly access controlled before being displayed on user profile pages. Additionally some user management access rules were ignored during the authentication process.

Versions affected

LDAP Integration module versions for Drupal 6.x prior to LDAP Integration 6.x-1.0-beta2
LDAP Integration module versions for Drupal 5.x prior to LDAP Integration 5.x-1.5
LDAP Integration module versions for Drupal 4.7.x are now unsupported.

Drupal core is not affected. If you do not use the contributed LDAP Integration module, there is nothing you need to do.

Solution

Install the latest version.

If you use the LDAP Integration module for Drupal 6.x upgrade to LDAP Integration 6.x-1.0-beta2
If you use the LDAP Integration module for Drupal 5.x upgrade to LDAP Integration 5.x-1.5
If you use the LDAP Integration module for Drupal 4.7.x, disable the module.

Reported by

The XSS vulnerability was reported by Jakub Suchy of the Drupal Security Team.
The CSRF vulnerability was reported by Stéphane Corlosquet of the Drupal Security Team.
The Access Bypass vulnerabilities were reported by Christian A. Reiter and Matt Vance.
The User management access rules vulnerability was reported by Kevin Murphy.