* Advisory ID: DRUPAL-SA-CONTRIB-2012-036 * Projects: Content Lock [1], Ubercart Bulk Stock Updater [2], Ubercart Payflow Link [3], ticketyboo News Ticker [4], Admin tools [5], Redirecting click bouncer [6] (third-party modules) * Version: 6.x * Version: 7.x * Date: 2012-March-14 * Security risk: Critical [7] * Exploitable from: Remote * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- Content Lock [8] Is a module that prevents users from concurrent editing of nodes. This module does not use a token for unlocking a content lock. This leads to a CSRF attack vector. Ubercart Bulk Stock Updater [9] is an extension module for Ubercart 2.x running on Drupal 6.x which makes it easy to bulk-edit product stock levels. This module does not properly use the formAPI and this results in a CSRF attack vector. Ubercart Payflow Link [10] is a payment solution for ubercart provided by PayPal. This module does not use a secure token and thus could allow payments to be forged. ticketyboo News Ticker [11]is a module that lets you configure three separate news tickers as Drupal Blocks. This module does not filter output correctly leading to a XSS attack vector. It may also have a SQL injection vector. Admin tools [12] This package will contain a complete set of tools for managing several drupal installs. This module does not properly filter text leading to a XSS attack vector, as well as not checking tokens leading to a CSRF attack vector. Redirecting click bouncer [13], is a module that lets you create links to a target that simply redirects to the real destination. The redirect happens server-side which means that we can track the redirects. This comes handy when we have links in our site and we need to know when they are clicked. This module does not check the URL to redirect to, this create an open redirect. -------- VERSIONS AFFECTED --------------------------------------------------- * All versions of Content Lock are affected by vulnerabilities. * All versions of Ubercart Bulk Stock Updater payment are affected by vulnerabilities. * All versions of Ubercart Payflow Link are affected by vulnerabilities. * All versions of ticketyboo News Ticker are affected by vulnerabilities. * All versions of Admin tools are affected by vulnerabilities. * All versions of Redirecting click bouncer are affected by vulnerabilities. * All versions of Printer, e-mail and PDF versions are affected by vulnerabilities. Drupal core is not affected. If you do not use one of the contributed modules listed above, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Users of these modules are encouraged to disable the modules and search for similar alternatives. Users of the module who wish to take over maintainership should post patches to the issue queue to fix the security issues and request maintenance following the Unsupported project process [14]. -------- REPORTED BY --------------------------------------------------------- * Content Lock issue reported by Charlie Gordon [15] * Ubercart Bulk Stock Updater issue reported by Peter Boden [16] * Ubercart Payflow Link issue reported by Dylan Tack [17] of the Drupal Security Team * ticketyboo News Ticker issue reported by Sascha Grossenbacher [18] * Admintools issue reported by Ivo Van Geertruyen [19] of the Drupal Security Team * Redirecting click bouncer issue reported by John T. Haller -------- FIXED BY ------------------------------------------------------------ No fixes created. -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [20] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [21]. Learn more about the Drupal Security team and their policies [22], writing secure code for Drupal [23], and securing your site [24]. [1] http://drupal.org/project/content_lock [2] http://drupal.org/project/uc_bulk_stock_updater [3] http://drupal.org/project/uc_payflowlink [4] http://drupal.org/project/ticketyboo [5] http://drupal.org/project/admintools [6] http://drupal.org/project/bouncer [7] http://drupal.org/security-team/risk-levels [8] http://drupal.org/project/content_lock [9] http://drupal.org/project/uc_bulk_stock_updater [10] http://drupal.org/project/uc_payflowlink [11] http://drupal.org/project/ticketyboo [12] http://drupal.org/project/admintools [13] http://drupal.org/project/bouncer [14] http://drupal.org/node/251466 [15] http://drupal.org/user/157412 [16] http://drupal.org/user/55050 [17] http://drupal.org/user/96647 [18] http://drupal.org/user/214652 [19] http://drupal.org/user/383424 [20] http://drupal.org/user/102818 [21] http://drupal.org/contact [22] http://drupal.org/security-team [23] http://drupal.org/writing-secure-code [24] http://drupal.org/security/secure-configuration _______________________________________________ Security-news mailing list Security-news@drupal.org http://lists.drupal.org/mailman/listinfo/security-news