- Advisory ID: DRUPAL-SA-2007-004.
- Project: Project and Project issue tracking (third party modules).
- Date: 2007-Jan-23.
- Security risk: Moderately critical.
- Exploitable from: Remote.
- Vulnerability: Access bypass, Cross site scripting, and unsafe file upload handling.
Multiple vulnerabilities have been discovered and fixed in the Project and Project issue tracking modules:
Access bypass in Project issue tracking
Due to an error in the project_issue_access() function, users with the 'Access project issues' permission would have full access to all issues on a site, even if additional access control modules were being used (for example, simple_access, node_privacy_byrole, tac_lite, etc). Additionally, if a site is configured to use the private download method, files attached to project issues that are marked as confidential or private would be publically available for download if a user knew or could guess the filename. Sites using these node-specific access control methods in conjunction with project issues are urged to upgrade immediately.
Revoking the "access project issues" permission provides an immediate workaround.
Cross site scripting (XSS) in Project and Project issue tracking
Several fields on project nodes are not passed through check_plain() on display. Additionally, certain project-specific settings regarding issue tracking are also being displayed without proper filtering. A malicious user could use these fields to insert and execute XSS (Cross Site Scripting). This may lead to administrator access if certain conditions are met. To exploit these vulnerabilities, a user would have to have the 'maintain projects' permission and be able to create project nodes on your site. Learn more about XSS on Wikipedia.
Revoking the "maintain projects" permission provides an immediate workaround.
Unsafe file handling in Project issue tracking
Users are allowed to attach files to project issues. If a file with an executable extension or multiple extensions such as
file.php.pps is uploaded and then accessed from a web browser, most Apache configurations will execute the file as a script. Drupal uses a
.htaccess file in the directory where files are uploaded (including issue attachments) to prevent the execution of any dynamic script handlers. However, sites where
.htaccess FileInfo overrides are disabled would still be vulnerable. Now, the Project issue tracking module will rename any uploaded files with multiple, non-numeric, and non-white-listed extensions. See DRUPAL-SA-2006-006 and Revision to DRUPAL-SA-2006-006 for more information.
Revoking the "create project issues" permission provides an immediate workaround. However, site administrators are urged to inspect the directory where issue attachments are stored (
files/issues by default) looking for potentially malicious multi-extension files or files ending in any executable extensions (
.py, etc), and removing them or renaming the file extension to just
.txt as appropriate (for example,
file.php.pps should be renamed to
- Project issue tracking 5.x-0.x-dev prior to 2007-01-23
- Project issue tracking 4.7.x-2.1
- Project issue tracking 4.7.x-1.1
- Project 5.x-0.x-dev prior to 2007-01-23
- Project 4.7.x-2.1
- Project 4.7.x-1.1
- Project 4.6.x-1.1
- Project issue tracking 4.7.0 (from before the new release system)
- Project 4.7.0 (from before the new release system)
- Project 4.6.0 (from before the new release system)
Note that in 4.6.x, Project issue tracking is included as part of the Project module.
Drupal core is not affected. If you do not use the contributed Project and/or Project issue tracking modules, there is nothing you need to do.
Install the latest versions:
- Project issue tracking 5.x-0.1-beta.
- Project issue tracking 4.7.x-2.2.
- Project issue tracking 4.7.x-1.2.
- Project 5.x-0.1-beta.
- Project 4.7.x-2.2.
- Project 4.7.x-1.2.
If you are using a version of Project and/or Project issue tracking from before the new release system (4.7.0), upgrade to 4.7.x-1.2.
NOTE: The 4.6.x version of the Project module is no longer supported. Any sites still using the 4.6.x releases are urged to upgrade to the 4.7.x-1.2 release.
XSS vulnerabilities reported by Brandon Bergren (bdragon).
Access bypass reported by Derek Wright (dww) of the Drupal security team.
File handling reported by Heine Deelstra (Heine) of the Drupal security team.
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.