Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 276214 - <www-apps/drupal-{5.19, 6.13}: Multiple vulnerabilities (CVE-2009-{2372,2373,2374})
Summary: <www-apps/drupal-{5.19, 6.13}: Multiple vulnerabilities (CVE-2009-{2372,2373,...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://drupal.org/node/507572
Whiteboard: ~1 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-07-02 12:59 UTC by Alex Legler (RETIRED)
Modified: 2009-07-10 09:00 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-02 12:59:42 UTC 
Cross-site scripting

The Forum module does not correctly handle certain arguments obtained from the URL.
This issue affects Drupal 6.x only.

Input format access bypass

User signatures have no separate input format, they use the format of the comment with which they are displayed. A user will no longer be able to edit a comment when an administrator changes the comment's input format to a format that is not accessible to the user. However they will still be able to modify their signature, which will then be processed by the new input format.

This issue affects Drupal 6.x only.

Password leaked in URL

When an anonymous user fails to login due to mistyping his username or password, and the page he is on contains a sortable table, the (incorrect) username and password are included in links on the table. If the user visits these links the password may then be leaked to external sites via the HTTP referer.

In addition, if the anonymous user is enticed to visit the site via a specially crafted URL while the Drupal page cache is enabled, a malicious user might be able to retrieve the (incorrect) username and password from the page cache.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-02 13:02:09 UTC 
Issue 2 might lead to the execution of arbitrary PHP code, rating as ~1.
Comment 2 Peter Volkov (RETIRED) gentoo-dev 2009-07-08 11:54:28 UTC 
Thank you for report. 5.19 and 6.13 added to the tree.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-07-08 12:10:00 UTC 
closed, thanks.
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-10 09:00:44 UTC 
CVE-2009-2372 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2372):
  Drupal 6.x before 6.13 does not prevent users from modifying user
  signatures after the associated comment format has been changed to an
  administrator-controlled input format, which allows remote
  authenticated users to inject arbitrary web script, HTML, and
  possibly PHP code via a crafted user signature.

CVE-2009-2373 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2373):
  Cross-site scripting (XSS) vulnerability in the Forum module in
  Drupal 6.x before 6.13 allows remote attackers to inject arbitrary
  web script or HTML via unspecified vectors.

CVE-2009-2374 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2374):
  Drupal 5.x before 5.19 and 6.x before 6.13 does not properly sanitize
  failed login attempts for pages that contain a sortable table, which
  includes the username and password in links that can be read from (1)
  the HTTP referer header of external web sites that are visited from
  those links or (2) when page caching is enabled, the Drupal page
  cache.