Closed
Bug 453835
Opened 16 years ago
Closed 16 years ago
SA-2008-048 - CCK - CROSS SITE SCRIPTING
Categories
(Infrastructure & Operations Graveyard :: WebOps: Other, task)
Infrastructure & Operations Graveyard
WebOps: Other
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: paul, Assigned: justdave)
References
()
Details
(Keywords: wsec-xss)
Hello, Would you please push the latest version of cck r18060 to production as soon as were both happy its working on stage . It seems to be working fine on my local server. Apologies , i forgot to add a message with the SVN commit ------------SA-2008-048 - CCK - CROSS SITE SCRIPTING------------ * Advisory ID: DRUPAL-SA-2008-048 * Project: CCK (third-party module) * Version: 5.x * Date: 2008-Sep-04 * Security risk: Not critical * Exploitable from: Remote * Vulnerability: Cross site scripting ------------DESCRIPTION------------ The Content Construction Kit (CCK) allows certain privileged users to add custom fields to content types using a web browser. Some of the settings (field label, help text, allowed values) entered on the fields settings forms are then displayed without appropriate filtering. Malicious users with the "administer content" permission are able to exploit this issue and insert arbitrary HTML and script code into pages. Such a cross site scripting attack (XSS) may lead to the malicious user gaining full administrative access. This is only an issue if you need any role seperation between administrators and users with the "administer content" permission. ------------VERSIONS AFFECTED------------ * CCK for Drupal 5.x prior to 5.x-1.8 Drupal core is not affected. The CCK RC releases for Drupal 6 are not affected. If you do not use the contributed CCK module on a Drupal 5 site, there is nothing you need to do. ------------SOLUTION------------ Install the latest version: * CCK 5.x-1.8 [ http://drupal.org/node/303532 ] See also the CCK project page [ http://drupal.org/project/cck ]. ------------NOTE------------ If your theme uses field templates, you will need to manually change the funciton phptemplate_field (or possibly THEME_NAME_field) in your theme's template.php: change: 'label' => t($field['widget']['label']), to: 'label' => check_plain(t($field['widget']['label'])) ------------REPORTED BY------------ * The cross site scripting issue was reported by Peter Wolanin [ http://drupal.org/user/49851 ] from the Drupal security team. ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ]. -- Unsubscribe from this newsletter: http://drupal.org/newsletter/confirm/remove/a0fb07465d3209t44
|
||
Comment 1•16 years ago
|
||
Security issue. Should get this reviewed and deployed ASAP.
Severity: major → critical
OS: Mac OS X → All
Hardware: PC → All
|
Reporter | |
Comment 2•16 years ago
|
||
@Alix I would highly recommend we have someone else on our spreadfirefox team signing up for security announcements @ http://drupal.org/security so that we can jump on security issues more quickly. Perhaps then we could have an arrangement where if someone receives a notification from drupal.org of a security problem that information is forwarded to me via an SMS text to my mobile phone and then i can get online quickly to resolve any problem. Best, Paul
|
|
Reporter | |
Comment 3•16 years ago
|
||
(In reply to comment #0) > Hello, > > Would you please push the latest version of cck r18060 to production > as soon as were both happy its working on stage . > > It seems to be working fine on my local server. > > Apologies , i forgot to add a message with the SVN commit > I get the errors below on the stage server that i don't see on my local server when i preview a document (with an additional text field created with CCK) ... however it seems to submit fine. In php.ini error_reporting = E_ALL * warning: Invalid argument supplied for foreach() in /data/www/spreadfirefox.authstage.mozilla.com/modules/node/node.module on line 521. * warning: implode() [function.implode]: Bad arguments. in /data/www/spreadfirefox.authstage.mozilla.com/modules/node/node.module on line 525. * user warning: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 query: SELECT n.nid, n.vid, n.type, n.status, n.created, n.changed, n.comment, n.promote, n.sticky, r.timestamp AS revision_timestamp, r.title, r.body, r.teaser, r.log, r.format, u.uid, u.name, u.picture, u.data FROM node n INNER JOIN users u ON u.uid = n.uid INNER JOIN node_revisions r ON r.vid = n.vid WHERE in /data/www/spreadfirefox.authstage.mozilla.com/includes/database.mysql.inc on line 172. * warning: Invalid argument supplied for foreach() in /data/www/spreadfirefox.authstage.mozilla.com/modules/node/node.module on line 521. * warning: implode() [function.implode]: Bad arguments. in /data/www/spreadfirefox.authstage.mozilla.com/modules/node/node.module on line 525. * user warning: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 query: SELECT n.nid, n.vid, n.type, n.status, n.created, n.changed, n.comment, n.promote, n.sticky, r.timestamp AS revision_timestamp, r.title, r.body, r.teaser, r.log, r.format, u.uid, u.name, u.picture, u.data FROM node n INNER JOIN users u ON u.uid = n.uid INNER JOIN node_revisions r ON r.vid = n.vid WHERE in /data/www/spreadfirefox.authstage.mozilla.com/includes/database.mysql.inc on line 172.
|
||
Comment 4•16 years ago
|
||
the above error is not related to the CCK upgrade. filed bug 453864. there is another difference however, on stage, on the homepage (and others) the following is showing up under the search box, and shouldn't be. CAPTCHA administration: Place a challenge here for untrusted users. This also showed up on update.php
|
|
||
Comment 5•16 years ago
|
||
nvm, above error was a drupal settings problem.
|
|
||
Comment 6•16 years ago
|
||
Replacing tags/production/sites/all/modules/cck/CHANGELOG.txt Replacing tags/production/sites/all/modules/cck/LICENSE.txt Replacing tags/production/sites/all/modules/cck/README.txt Replacing tags/production/sites/all/modules/cck/UPGRADE.txt Replacing tags/production/sites/all/modules/cck/content.css Adding tags/production/sites/all/modules/cck/content.devel.inc Replacing tags/production/sites/all/modules/cck/content.info Replacing tags/production/sites/all/modules/cck/content.install Replacing tags/production/sites/all/modules/cck/content.module Replacing tags/production/sites/all/modules/cck/content_admin.css Replacing tags/production/sites/all/modules/cck/content_admin.inc Replacing tags/production/sites/all/modules/cck/content_copy.info Replacing tags/production/sites/all/modules/cck/content_copy.module Replacing tags/production/sites/all/modules/cck/content_crud.inc Adding tags/production/sites/all/modules/cck/content_panels.inc Replacing tags/production/sites/all/modules/cck/content_pathauto.inc Replacing tags/production/sites/all/modules/cck/content_views.inc Replacing tags/production/sites/all/modules/cck/field.php Replacing tags/production/sites/all/modules/cck/fieldgroup.css Replacing tags/production/sites/all/modules/cck/fieldgroup.info Replacing tags/production/sites/all/modules/cck/fieldgroup.install Replacing tags/production/sites/all/modules/cck/fieldgroup.module Replacing tags/production/sites/all/modules/cck/nodereference.info Replacing tags/production/sites/all/modules/cck/nodereference.install Replacing tags/production/sites/all/modules/cck/nodereference.module Replacing tags/production/sites/all/modules/cck/number.info Replacing tags/production/sites/all/modules/cck/number.install Replacing tags/production/sites/all/modules/cck/number.module Replacing tags/production/sites/all/modules/cck/optionwidgets.info Replacing tags/production/sites/all/modules/cck/optionwidgets.install Replacing tags/production/sites/all/modules/cck/optionwidgets.module Replacing tags/production/sites/all/modules/cck/po Replacing tags/production/sites/all/modules/cck/po/cck.pot Adding tags/production/sites/all/modules/cck/po/da.po Replacing tags/production/sites/all/modules/cck/po/de.po Replacing tags/production/sites/all/modules/cck/po/es.po Replacing tags/production/sites/all/modules/cck/po/fr.po Adding tags/production/sites/all/modules/cck/po/it.po Replacing tags/production/sites/all/modules/cck/po/nl.po Replacing tags/production/sites/all/modules/cck/po/pt.po Replacing tags/production/sites/all/modules/cck/po/ru.po Replacing tags/production/sites/all/modules/cck/po/vi.po Replacing tags/production/sites/all/modules/cck/text.info Replacing tags/production/sites/all/modules/cck/text.install Replacing tags/production/sites/all/modules/cck/text.module Replacing tags/production/sites/all/modules/cck/theme Replacing tags/production/sites/all/modules/cck/theme/README.txt Replacing tags/production/sites/all/modules/cck/theme/field-field_my_field.tpl.php Replacing tags/production/sites/all/modules/cck/theme/field.tpl.php Replacing tags/production/sites/all/modules/cck/theme/node-content_example.tpl.php Replacing tags/production/sites/all/modules/cck/theme/template.php Replacing tags/production/sites/all/modules/cck/userreference.info Replacing tags/production/sites/all/modules/cck/userreference.install Replacing tags/production/sites/all/modules/cck/userreference.module Committed revision 18066. could you svn up production and run update.php please, thanks
Assignee: nobody → server-ops
Component: spreadfirefox.com → Server Operations: Web Content Push
Product: Websites → mozilla.org
QA Contact: spreadfirefox-com → mrz
Version: unspecified → other
|
Assignee | |
Updated•16 years ago
|
Assignee: server-ops → justdave
|
|
||
Comment 7•16 years ago
|
||
sigh... ------------SA-2008-048-B - CCK - CROSS SITE SCRIPTING------------ * Advisory ID: DRUPAL-SA-2008-048-b * Project: CCK (third-party module) * Version: 5.x * Date: 2008-Sep-04 * Security risk: Not critical * Exploitable from: Remote * Vulnerability: Cross site scripting ------------UPDATE------------ This security announcement is an update of the SA-2008-048 announcement which advised to upgrade CCK for Drupal 5.x to 5.x-1.8. You should now upgrade CCK for Drupal 5.x to 5.x-1.9. ------------DESCRIPTION------------ The Content Construction Kit (CCK) allows certain privileged users to add custom fields to content types using a web browser. Some of the settings (field label, help text, allowed values) entered on the fields settings forms are then displayed without appropriate filtering. Malicious users with the "administer content" permission are able to exploit this issue and insert arbitrary HTML and script code into pages. Such a cross site scripting attack (XSS) may lead to the malicious user gaining full administrative access. This is only an issue if you need any role separation between administrators and users with the "administer content" permission. ------------VERSIONS AFFECTED------------ * CCK for Drupal 5.x prior to 5.x-1.9 Drupal core is not affected. The CCK RC releases for Drupal 6 are not affected. If you do not use the contributed CCK module on a Drupal 5 site, there is nothing you need to do. ------------SOLUTION------------ Install the latest version: * CCK 5.x-1.8 [ http://drupal.org/node/303532 ] 5.x-1.8 had two critical [ http://drupal.org/node/304118 ] bugs [ http://drupal.org/node/304122 ] * CCK 5.x-1.9 [ http://drupal.org/node/304193 ] hot fix release - includes security fix and these critical issue fixes. See also the CCK project page [ http://drupal.org/project/cck ]. ------------NOTE------------ If your theme uses field templates, you will need to manually change the function phptemplate_field (or possibly THEME_NAME_field) in your theme's template.php: change: 'label' => t($field['widget']['label']), to: 'label' => check_plain(t($field['widget']['label'])) ------------REPORTED BY------------ * The cross site scripting issue was reported by Peter Wolanin [ http://drupal.org/user/49851 ] from the Drupal security team. ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ].
|
|
Assignee | |
Comment 8•16 years ago
|
||
(In reply to comment #6) > could you svn up production and run update.php please, thanks Code is deployed. I'm currently unable to run the update.php script because it appears to have to be run from the web, and the webservers have it ACLed off so you can't get to it that way. Trying to track down some help (if you know how to make it work from the command line, let me know).
|
|
Assignee | |
Comment 9•16 years ago
|
||
The following queries were executed
content module
Update #1009
* ALTER TABLE {content_type_webform} ADD INDEX (nid)
* ALTER TABLE {content_type_image} ADD INDEX (nid)
* ALTER TABLE {content_type_blog} ADD INDEX (nid)
* ALTER TABLE {content_type_forum} ADD INDEX (nid)
* ALTER TABLE {content_type_poll} ADD INDEX (nid)
* ALTER TABLE {content_type_event} ADD INDEX (nid)
* ALTER TABLE {content_type_document} ADD INDEX (nid)
* ALTER TABLE {content_type_feed} ADD INDEX (nid)
* ALTER TABLE {content_type_feeditems} ADD INDEX (nid)
* ALTER TABLE {content_type_group} ADD INDEX (nid)
* ALTER TABLE {content_type_page} ADD INDEX (nid)
* ALTER TABLE {content_type_story} ADD INDEX (nid)
Update #1010
* No queries|
|
||
Comment 10•16 years ago
|
||
looks like we already had cck 1.9, the second SA was just delayed. thanks for your help everyone
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
||
Comment 11•11 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
|
||
Updated•11 years ago
|
Component: Server Operations: Web Operations → WebOps: Other
Product: mozilla.org → Infrastructure & Operations
|
||
Updated•5 years ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•