[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4BF52EA3.4070704@madirish.net>
Date: Thu, 20 May 2010 08:44:19 -0400
From: "Justin C. Klein Keane" <justin@...irish.net>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Drupal Chaos Tools Suite (Ctools) Module Multiple
Vulns
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2010-1546, CVE-2010-1547 and CVE-2010-1548
Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through hundreds of
third party modules. The Chaos tool suite module
(http://drupal.org/project/ctools) suffers from an arbitrary PHP code
execution vulnerability (CVE-2010-1546).
Chaos tool suite also fails to perform proper forms checking for linked
functionality in administrative forms which results in cross site
request forgery (XSRF) vulnerabilities (CVE-2010-1547).
Chaos tools suite also fails to perform status checking when
implementing auto complete functionality allowing for bypass of node
publish settings or other protections such as those imposed by the
Protected Node module (http://drupal.org/project/protected_node)
(CVE-2010-1548).
Systems affected:
- -----------------
Drupal 6.16 with Ctools 6.x-1.3 was tested and shown to be vulnerable
Impact
- ------
Authenticated users with 'administer page manager' permissions can
execute arbitrary PHP code, which could lead to compromise of the web
server process. Users with 'access content' permission can view titles
of unpublished nodes. Attackers could cause authenticated users to
alter configuration using XSRF.
Mitigating factors:
- -------------------
Attacker must be able to access the Pages administration forms, which is
possible for authenticated users with the 'administer page manager'
permission.
Vendor response:
- ----------------
Upgrade to the latest version of Ctools. Ref
http://drupal.org/node/803944, http://www.madirish.net/?article=458
- --
Justin C. Klein Keane
http://www.MadIrish.net
The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iPwEAQECAAYFAkv1LqMACgkQkSlsbLsN1gB/swb/cdXk+wcyXBC1EISjVpihgPCN
GYPQlOoCrlCTAWmi8sAMEkoH4gzGXoHtA7cis65vVQ8xiKY/kcvR4i0MuOVUDleG
74bSs4/1KI9mXbrRQ/yAmD5CqD/3aJ/Ut5i2C4SZxbOtSG6Km61Q1EYs/8nrZpfP
U+s20EJ3h6u6x7LseztFSTvZsEDaCv+d6wjRCWKZDvIE/jgCYEaGmUyr2xZvazkR
KZ5K7/nI1ItvE33sSktpGZW9pNP9Fgbo+PDBtND/vm+vRqw7/deNJE3ztoBvMDHX
1uh1c7oGwHsnaMgx7H8=
=n4+w
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists