------------SA-2008-035 - AGGREGATION - MULTIPLE VULNERABILITIES------------
* Advisory ID: SA-2008-035
* Project: Aggregation (third-party module)
* Versions: 5.x
* Date: 2008-June-11
* Security risk: Highly critical
* Exploitable from: Remote
* Vulnerability: Multiple vulnerabilities
------------DESCRIPTION------------
The Aggregation module syndicates content from external feeds saving them as nodes. A significant amount of vulnerabilities were discovered in the module:
Cross site scripting - Numerous values are displayed without being properly escaped or filtered, which enables users to inject arbitrary HTML and script code on pages.
SQL Injection - Numerous values are used in SQL strings without being properly sanitized.
Arbitrary code execution - Maliciously constructed feeds can result in the upload of files with arbitrary extensions to the server. Whether this may lead to arbitrary code execution, depends on the exact server configuration.
Access bypass - Incorrect implementation of the access control results in access bypass when node access modules (taxonomy access control, acl) are used.
------------VERSIONS AFFECTED------------
* Aggregation for Drupal 5.x prior to Aggregation 5.x-4.4
Drupal core is not affected. If you do not use the contributed Aggregation module, there is nothing you need to do.
------------SOLUTION------------
Install the latest version:
* If you currently use Aggregation 5.x, upgrade to Aggregation 5.x-4.4 [
http://drupal.org/node/269184 ]
See also the Aggregation project page [
http://drupal.org/project/aggregation ].
------------REPORTED BY------------
The cross site scripting issue was publicly reported by fonan [
http://drupal.org/user/96515 ].
The other issues were identified by Adam Light (aclight [
http://drupal.org/user/86358 ]) and Heine Deelstra (Heine [
http://drupal.org/user/17943 ]) of the Drupal security team.
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via the form at
http://drupal.org/contact.