SA-CONTRIB-2010-069 - Case Tracker - Multiple Vulnerabilities

By Drupal Security Team on 23 Jun 2010 at 18:05 UTC

Advisory ID: DRUPAL-SA-CONTRIB-2010-069
Project: Case Tracker (third-party module)
Version: 5.x
Date: 2010-June-23
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Multiple Vulnerabilities

Description

The Case Tracker module enables teams to track outstanding cases which need resolution by attaching a status, priority and type.

Cross Site Scripting (XSS)

The module does not sanitize some of the user-supplied data before displaying it, leading to a cross site scripting (XSS) vulnerability that may lead to a malicious user gaining full administrative access. This vulnerability is mitigated by the fact that an attacker must have the "administer casetracker" permission, which should generally only be granted to trusted roles.

Access Bypass

The module provides the "access case tracker" permission which is used to restrict access to reports and other functionality provided. However it was also used to restrict access to individual project and case nodes but only in some instances. This access check has been removed and instead users are encouraged to install a content access module to restrict access to these nodes.

Versions affected

Case Tracker module for Drupal 5.x versions prior to 5.x-1.4

Drupal core is not affected. If you do not use the contributed Case Tracker module, there is nothing you need to do.

Solution

Install the latest version:

If you use the Case Tracker module for Drupal 5.x upgrade to Case Tracker 5.x-1.4

As the "access case tracker" permission no longer controls access to project and case nodes, users are encouraged to install a content access module to restrict access to these nodes as necessary.