- DRUPAL-SA-CONTRIB-2010-108
- Project: Who Bought What|Ubercart (third-party module)
- Version: 6.x
- Date: 2010-Dec-08
- Security risk: Highly Critical
- Exploitable from: Remote
- Vulnerability: Multiple Vulnerabilities
Description
The Who Bought What-module collects and displays relevant information about purchases, including purchaser name, quantity, payment status, and all attributes.
The module does not properly sanitize arguments passed via the URL when used in SQL queries, leading to a SQL Injection vulnerability. Additionally, the module neglects to sanitize some of the user-generated content before displaying it, leading to a Cross-Site Scripting (XSS) vulnerability. Finally, the module allows users with the "view uc_who_bought_what" permission to view the title of any node in the system, including unpublished nodes and nodes that user might otherwise not have access to, which constitutes an Information Disclosure vulnerability.
Versions affected
- Who Bought What|Ubercart module for Drupal 6.x versions prior to 6.x-2.11.
Drupal core is not affected. If you do not use the contributed Who Bought What|Ubercart module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Who Bought What|Ubercart module for Drupal 6.x upgrade to Who Bought What|Ubercart 6.x-2.11
See also the Who Bought What|Ubercart project page.
Reported by
- The SQL Injection vulnerability was reported by Mark Styles (lambic)
- The XSS and Information Disclosure vulnerabilities were reported by mr.baileys of the Drupal.org Security Team
Fixed by
- Michael Moradzadeh (Cayenne), module maintainer
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.