- Advisory ID: DRUPAL-SA-CONTRIB-2009-084
- Project: LDAP Integration (third-party module)
- Version: 6.x, 5.x
- Date: 2009-October-28
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities
Description
The LDAP Integration module enables users to authenticate against LDAP servers.
The module does not properly implement confirmation pages for the LDAP server activation/deactivation which could lead to a Cross Site Request Forgery (CSRF) attack. The user defined server name is not properly escaped on the administration pages making it vulnerable to a cross site scripting (XSS) attack.
User LDAP data can be viewed by un-authorized users, as it is not properly access controlled before being displayed on user profile pages. Additionally some user management access rules were ignored during the authentication process.
Versions affected
- LDAP Integration module versions for Drupal 6.x prior to LDAP Integration 6.x-1.0-beta2
- LDAP Integration module versions for Drupal 5.x prior to LDAP Integration 5.x-1.5
- LDAP Integration module versions for Drupal 4.7.x are now unsupported.
Drupal core is not affected. If you do not use the contributed LDAP Integration module, there is nothing you need to do.
Solution
Install the latest version.
- If you use the LDAP Integration module for Drupal 6.x upgrade to LDAP Integration 6.x-1.0-beta2
- If you use the LDAP Integration module for Drupal 5.x upgrade to LDAP Integration 5.x-1.5
- If you use the LDAP Integration module for Drupal 4.7.x, disable the module.
Reported by
- The XSS vulnerability was reported by Jakub Suchy of the Drupal Security Team.
- The CSRF vulnerability was reported by Stéphane Corlosquet of the Drupal Security Team.
- The Access Bypass vulnerabilities were reported by Christian A. Reiter and Matt Vance.
- The User management access rules vulnerability was reported by Kevin Murphy.
Fixed by
- Miglius Alaburda, the module maintainer
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.