SA-2008-048 - CCK - CROSS SITE SCRIPTING

RESOLVED FIXED

Status

--
critical
RESOLVED FIXED
11 years ago
5 years ago

People

(Reporter: paul, Assigned: justdave)

Tracking

({wsec-xss})

Details

(URL)

(Reporter)

Description

11 years ago
Hello,

Would you please push the latest version of cck r18060 to production
as soon as were both happy its working on stage .

It seems to be working fine on my local server.  

Apologies , i forgot to add a message with the SVN commit



------------SA-2008-048 - CCK - CROSS SITE SCRIPTING------------

 * Advisory ID: DRUPAL-SA-2008-048

 * Project: CCK (third-party module)

 * Version: 5.x

 * Date: 2008-Sep-04

 * Security risk: Not critical

 * Exploitable from: Remote

 * Vulnerability: Cross site scripting

------------DESCRIPTION------------

The Content Construction Kit (CCK) allows certain privileged users to add
custom fields to content types using a web browser.

Some of the settings (field label, help text, allowed values) entered on the
fields settings forms are then displayed without appropriate filtering.
Malicious users with the "administer content" permission are able to exploit
this issue and insert arbitrary HTML and script code into pages. Such a cross
site scripting attack (XSS) may lead to the malicious user gaining full
administrative access.

This is only an issue if you need any role seperation between administrators
and users with the "administer content" permission.

------------VERSIONS AFFECTED------------

 * CCK for Drupal 5.x prior to 5.x-1.8

Drupal core is not affected. The CCK RC releases for Drupal 6 are not affected.
If you do not use the contributed CCK module on a Drupal 5 site, there is
nothing you need to do.

------------SOLUTION------------

Install the latest version: 
 * CCK 5.x-1.8 [ http://drupal.org/node/303532 ]

See also the CCK project page [ http://drupal.org/project/cck ].

------------NOTE------------

If your theme uses field templates, you will need to manually change the
funciton phptemplate_field (or possibly THEME_NAME_field) in your theme's
template.php:
change:
'label' => t($field['widget']['label']),
to:
'label' => check_plain(t($field['widget']['label']))

------------REPORTED BY------------

 * The cross site scripting issue was reported by Peter Wolanin [
http://drupal.org/user/49851 ] from the Drupal security team.

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].



-- 
Unsubscribe from this newsletter: http://drupal.org/newsletter/confirm/remove/a0fb07465d3209t44
Security issue. Should get this reviewed and deployed ASAP.
Severity: major → critical
OS: Mac OS X → All
Hardware: PC → All
(Reporter)

Comment 2

11 years ago
@Alix

I would highly recommend we have someone else on our spreadfirefox team signing up for security announcements @ http://drupal.org/security so that we can jump on security issues more quickly. Perhaps then we could have an arrangement where if someone receives a notification from drupal.org of a security problem that information is forwarded to me via an SMS text to my mobile phone and then i can get online quickly to resolve any problem.

Best, Paul
(Reporter)

Comment 3

11 years ago
(In reply to comment #0)
> Hello,
> 
> Would you please push the latest version of cck r18060 to production
> as soon as were both happy its working on stage .
> 
> It seems to be working fine on my local server.  
> 
> Apologies , i forgot to add a message with the SVN commit
> 

I get the errors below on the stage server that i don't see on my local server
when i preview a document (with an additional text field created with CCK)  ...
however it seems to submit fine.

In php.ini 
error_reporting  =  E_ALL 



    * warning: Invalid argument supplied for foreach() in
/data/www/spreadfirefox.authstage.mozilla.com/modules/node/node.module on line
521.
    * warning: implode() [function.implode]: Bad arguments. in
/data/www/spreadfirefox.authstage.mozilla.com/modules/node/node.module on line
525.
    * user warning: You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near '' at
line 1 query: SELECT n.nid, n.vid, n.type, n.status, n.created, n.changed,
n.comment, n.promote, n.sticky, r.timestamp AS revision_timestamp, r.title,
r.body, r.teaser, r.log, r.format, u.uid, u.name, u.picture, u.data FROM node n
INNER JOIN users u ON u.uid = n.uid INNER JOIN node_revisions r ON r.vid =
n.vid WHERE in
/data/www/spreadfirefox.authstage.mozilla.com/includes/database.mysql.inc on
line 172.
    * warning: Invalid argument supplied for foreach() in
/data/www/spreadfirefox.authstage.mozilla.com/modules/node/node.module on line
521.
    * warning: implode() [function.implode]: Bad arguments. in
/data/www/spreadfirefox.authstage.mozilla.com/modules/node/node.module on line
525.
    * user warning: You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near '' at
line 1 query: SELECT n.nid, n.vid, n.type, n.status, n.created, n.changed,
n.comment, n.promote, n.sticky, r.timestamp AS revision_timestamp, r.title,
r.body, r.teaser, r.log, r.format, u.uid, u.name, u.picture, u.data FROM node n
INNER JOIN users u ON u.uid = n.uid INNER JOIN node_revisions r ON r.vid =
n.vid WHERE in
/data/www/spreadfirefox.authstage.mozilla.com/includes/database.mysql.inc on
line 172.
the above error is not related to the CCK upgrade.  filed bug 453864.

there is another difference however, on stage, on the homepage (and others) the following is showing up under the search box, and shouldn't be.

  CAPTCHA administration:
  Place a challenge here for untrusted users.

This also showed up on update.php
nvm, above error was a drupal settings problem.
Replacing      tags/production/sites/all/modules/cck/CHANGELOG.txt
Replacing      tags/production/sites/all/modules/cck/LICENSE.txt
Replacing      tags/production/sites/all/modules/cck/README.txt
Replacing      tags/production/sites/all/modules/cck/UPGRADE.txt
Replacing      tags/production/sites/all/modules/cck/content.css
Adding         tags/production/sites/all/modules/cck/content.devel.inc
Replacing      tags/production/sites/all/modules/cck/content.info
Replacing      tags/production/sites/all/modules/cck/content.install
Replacing      tags/production/sites/all/modules/cck/content.module
Replacing      tags/production/sites/all/modules/cck/content_admin.css
Replacing      tags/production/sites/all/modules/cck/content_admin.inc
Replacing      tags/production/sites/all/modules/cck/content_copy.info
Replacing      tags/production/sites/all/modules/cck/content_copy.module
Replacing      tags/production/sites/all/modules/cck/content_crud.inc
Adding         tags/production/sites/all/modules/cck/content_panels.inc
Replacing      tags/production/sites/all/modules/cck/content_pathauto.inc
Replacing      tags/production/sites/all/modules/cck/content_views.inc
Replacing      tags/production/sites/all/modules/cck/field.php
Replacing      tags/production/sites/all/modules/cck/fieldgroup.css
Replacing      tags/production/sites/all/modules/cck/fieldgroup.info
Replacing      tags/production/sites/all/modules/cck/fieldgroup.install
Replacing      tags/production/sites/all/modules/cck/fieldgroup.module
Replacing      tags/production/sites/all/modules/cck/nodereference.info
Replacing      tags/production/sites/all/modules/cck/nodereference.install
Replacing      tags/production/sites/all/modules/cck/nodereference.module
Replacing      tags/production/sites/all/modules/cck/number.info
Replacing      tags/production/sites/all/modules/cck/number.install
Replacing      tags/production/sites/all/modules/cck/number.module
Replacing      tags/production/sites/all/modules/cck/optionwidgets.info
Replacing      tags/production/sites/all/modules/cck/optionwidgets.install
Replacing      tags/production/sites/all/modules/cck/optionwidgets.module
Replacing      tags/production/sites/all/modules/cck/po
Replacing      tags/production/sites/all/modules/cck/po/cck.pot
Adding         tags/production/sites/all/modules/cck/po/da.po
Replacing      tags/production/sites/all/modules/cck/po/de.po
Replacing      tags/production/sites/all/modules/cck/po/es.po
Replacing      tags/production/sites/all/modules/cck/po/fr.po
Adding         tags/production/sites/all/modules/cck/po/it.po
Replacing      tags/production/sites/all/modules/cck/po/nl.po
Replacing      tags/production/sites/all/modules/cck/po/pt.po
Replacing      tags/production/sites/all/modules/cck/po/ru.po
Replacing      tags/production/sites/all/modules/cck/po/vi.po
Replacing      tags/production/sites/all/modules/cck/text.info
Replacing      tags/production/sites/all/modules/cck/text.install
Replacing      tags/production/sites/all/modules/cck/text.module
Replacing      tags/production/sites/all/modules/cck/theme
Replacing      tags/production/sites/all/modules/cck/theme/README.txt
Replacing      tags/production/sites/all/modules/cck/theme/field-field_my_field.tpl.php
Replacing      tags/production/sites/all/modules/cck/theme/field.tpl.php
Replacing      tags/production/sites/all/modules/cck/theme/node-content_example.tpl.php
Replacing      tags/production/sites/all/modules/cck/theme/template.php
Replacing      tags/production/sites/all/modules/cck/userreference.info
Replacing      tags/production/sites/all/modules/cck/userreference.install
Replacing      tags/production/sites/all/modules/cck/userreference.module

Committed revision 18066.


could you svn up production and run update.php please, thanks
Assignee: nobody → server-ops
Component: spreadfirefox.com → Server Operations: Web Content Push
Product: Websites → mozilla.org
QA Contact: spreadfirefox-com → mrz
Version: unspecified → other
Assignee: server-ops → justdave
sigh...

------------SA-2008-048-B - CCK - CROSS SITE SCRIPTING------------

 * Advisory ID: DRUPAL-SA-2008-048-b

 * Project: CCK (third-party module)

 * Version: 5.x

 * Date: 2008-Sep-04

 * Security risk: Not critical

 * Exploitable from: Remote

 * Vulnerability: Cross site scripting

------------UPDATE------------

This security announcement is an update of the SA-2008-048 announcement which
advised to upgrade CCK for Drupal 5.x to 5.x-1.8. You should now upgrade CCK for
Drupal 5.x to 5.x-1.9.

------------DESCRIPTION------------

The Content Construction Kit (CCK) allows certain privileged users to add
custom fields to content types using a web browser.

Some of the settings (field label, help text, allowed values) entered on the
fields settings forms are then displayed without appropriate filtering.
Malicious users with the "administer content" permission are able to exploit
this issue and insert arbitrary HTML and script code into pages. Such a cross
site scripting attack (XSS) may lead to the malicious user gaining full
administrative access.

This is only an issue if you need any role separation between administrators
and users with the "administer content" permission.

------------VERSIONS AFFECTED------------

 * CCK for Drupal 5.x prior to 5.x-1.9

Drupal core is not affected. The CCK RC releases for Drupal 6 are not affected.
If you do not use the contributed CCK module on a Drupal 5 site, there is
nothing you need to do.

------------SOLUTION------------

Install the latest version:
 * CCK 5.x-1.8 [ http://drupal.org/node/303532 ] 5.x-1.8 had two critical [
http://drupal.org/node/304118 ] bugs [ http://drupal.org/node/304122 ]

 * CCK 5.x-1.9 [ http://drupal.org/node/304193 ] hot fix release - includes
security fix and these critical issue fixes.

See also the CCK project page [ http://drupal.org/project/cck ].

------------NOTE------------

If your theme uses field templates, you will need to manually change the
function phptemplate_field (or possibly THEME_NAME_field) in your theme's
template.php:
change:
'label' => t($field['widget']['label']),
to:
'label' => check_plain(t($field['widget']['label']))

------------REPORTED BY------------

 * The cross site scripting issue was reported by Peter Wolanin [
http://drupal.org/user/49851 ] from the Drupal security team.

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].
(In reply to comment #6)
> could you svn up production and run update.php please, thanks

Code is deployed.  I'm currently unable to run the update.php script because it appears to have to be run from the web, and the webservers have it ACLed off so you can't get to it that way.  Trying to track down some help (if you know how to make it work from the command line, let me know).
The following queries were executed
content module
Update #1009

    * ALTER TABLE {content_type_webform} ADD INDEX (nid)
    * ALTER TABLE {content_type_image} ADD INDEX (nid)
    * ALTER TABLE {content_type_blog} ADD INDEX (nid)
    * ALTER TABLE {content_type_forum} ADD INDEX (nid)
    * ALTER TABLE {content_type_poll} ADD INDEX (nid)
    * ALTER TABLE {content_type_event} ADD INDEX (nid)
    * ALTER TABLE {content_type_document} ADD INDEX (nid)
    * ALTER TABLE {content_type_feed} ADD INDEX (nid)
    * ALTER TABLE {content_type_feeditems} ADD INDEX (nid)
    * ALTER TABLE {content_type_group} ADD INDEX (nid)
    * ALTER TABLE {content_type_page} ADD INDEX (nid)
    * ALTER TABLE {content_type_story} ADD INDEX (nid)

Update #1010

    * No queries
looks like we already had cck 1.9, the second SA was just delayed.

thanks for your help everyone
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
Component: Server Operations: Web Operations → WebOps: Other
Product: mozilla.org → Infrastructure & Operations
You need to log in before you can comment on or make changes to this bug.