By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2010-052
  • Projects: Multiple third party modules - Privatemsg, Weather Underground, Tellafriend, Menu Block Split, osCommerce, Download Count, Comment Page, False Account Detector, User Queue
  • Version: 5.x, 6.x
  • Date: 2010-05-19
  • Security risks: Critical
  • Exploitable from: Remote
  • Vulnerability: Multiple (Cross-site Request Forgery, Cross-site scripting, Email header injection, SQL Injection)

Versions affected and proposed solutions

Private Message versions for the 5.x versions of Drupal
The Privatemsg (also known as Private Message) module enables messages to be sent internally on a site. The module is vulnerable to cross-site request forgeries (CSRF) via it's message delete form. This would allow a malicious user to trick an admin into deleting arbitrary message content by directing them to the url via a link or image src, etc. or trick a user into deleting their own messages.
Solution: Disable the module or upgrade to the latest 6.x versions of Drupal core and the Private message module.
Weather Underground 6.x-2.0
The Weather Underground module retrieves and displays weather information from Weather Underground (http://www.wunderground.com). The block subject can be configured on the wunderground settings page but is not sanitized before display, allowing for a cross site scripting (XSS) attack that may lead to a malicious user gaining full administrative access. This vulnerability is mitigated by the fact that an attacker must have the "access administration pages" permission which should generally only be granted to trusted roles.
Solution: Disable the module. There is no safe version of the module to use.
Tellafriend version 6.x-2.10 and 5.x-2.7
The Tellafriend module enables site visitors to send e-mails about the site to their contacts via a form. The module is vulnerable to email header injection and could be exploited to send spam.
Solution: Disable the module. There is no safe version of the module to use.
Menu Block Split version 6.x-2.1 and 5.x-2.1
The Menu Block Split module enables any menu block to be split into two different blocks: a first block with the first level menu entries only, and a second block with any second level and sub level menu entries. The block subject can be configured on the Menu Block Split settings page, but is not sanitized before display, allowing for a cross site scripting (XSS) attack that may lead to a malicious user gaining full administrative access.
Solution: Disable the module. There is no safe version of the module to use.
osCommerce version 6.x-1.0
The osCommerce module provides a front end to the osCommerce application. The module's 'Title for manufacturers block' configuration field is not sanitized before display, allowing for a cross site scripting (XSS) attack that may lead to a malicious user gaining full administrative access.
Solution: Disable the module. There is no safe version of the module to use.
download_count version 6.x-1.3 and 5.x-1.0
The download_count module increments a download counter each time an attached file is successfully downloaded. This module is vulnerable to cross site scripting (XSS) attack that may lead to a malicious user gaining full administrative access.
Solution: Disable the module. There is no safe version of the module to use.
Comment Page version 6.x-1.1 and 5.x-1.1
The Comment Page module displays each comments on it's own page, with an optional thread review that links to other comments in a comment thread. The module does not properly sanitize some content before outputting it, exposing multiple cross site scripting (XSS) vulnerabilities and allowing malicious users with the permission "post comments" to inject scripts. Additionally, Comment Page incorrectly uses drupal_access_denied (not stopping the flow after calling this function) and uses a non-existing permission ("admin comments") as access argument to it's administration page..
Solution: Disable the module. There is no safe version of the module to use.
False Account Detector versions for the 5.x and 6.x versions of Drupal
The False Account Detector module helps administrators to find out which users have more than one account on a Drupal system and can block them from creating new accounts. The module does not properly sanitize received cookies, exposing multiple cross site scripting (XSS) and SQL Injection vulnerabilities and allowing malicious authenticated users to block other user accounts.
Solution: Disable the module. There is no safe version of the module to use.

Edited March 27, 2024: Previous versions of False Account Detector for Drupal core versions 5.x and 6.x contained these security vulnerabilities. The code has been rewritten completely for Drupal 10+ and is now available again.

User Queue version 6.x-1.0
The Userqueue module enables site builders to create a queue (or list) of users on a site. The modules is vulnerable to a CSRF vulnerability which would allow a malicious user to trick a site builder into deleting a user from a queue.
Solution: Disable the module. There is no safe version of the module to use. Update to version 6.x-1.1

Drupal core is not affected. If you do not use any of the module releases above there is nothing you need to do.

Ongoing Maintenance of these modules

If you are interested in taking over maintenance of a module, or branch of a module, that is no longer supported, and are capable of fixing security vulnerabilities, you may apply to do so using the abandoned project takeover process.

Reported by

Peter Wolanin of the Drupal Security Team
John Morahan of the Drupal Security Team
Dylan Tack of the Drupal Security Team
Kieran Lal of the Drupal Security Team
Ivo Van Geertruyen of the Drupal Security Team
Martin Barbella
Brandon Bergren
George Gongadze

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Read more about the Security Team and Security Advisories at http://drupal.org/security.

Categories: Drupal 5.x, Drupal 6.x