Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-078 - Kaltura - Information disclosure

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-078 - Kaltura - Information disclosure


Chronologisch Thread 
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-078 - Kaltura - Information disclosure
  • Date: Wed, 28 Jul 2010 22:42:10 +0000 (UTC)
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>

* Advisory ID: DRUPAL-SA-CONTRIB-2010-078
* Project: Kaltura (third-party module)
* Versions: 5.x, 6.x
* Date: 2010-July-28
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Information disclosure

-------- DESCRIPTION
---------------------------------------------------------

The Kaltura module integrates the Kaltura open source video platform with
Drupal. When installing, uninstalling, or configuring the module, it would
surreptitiously inject a hidden iframe into the messages displayed to the
administrator with the source pointing to corp.kaltura.com/stats/drupal.
These requests were made without prior knowledge or authorization of site
administrators. The iframe also included information such as the site's
Kaltura partner ID, registration ID, or registration error code. Because most
browsers also include the referring site when dispalying an iframe,
information such as the URL or IP address of the Drupal site could also have
been obtained.
-------- RESPONSIBLE COLLECTION OF USAGE STATISTICS FOR DRUPAL MODULES
-------

The popularity of modules hosted on drupal.org is already tracked based on
data in the request when a Drupal installation checks to see if any of its
modules have new releases (see the Kaltura usage page [1] for example). This
information is gathered with privacy in mind: an open discussion [2] occurred
before including private information in the requests; the data is not shared
outside of Drupal.org server administrators (approximately 10 people); site
administrators are alerted to this system during installation of their site
and they can opt in or out at any time.
-------- VERSIONS AFFECTED
---------------------------------------------------

* Kaltura module for Drupal 6.x prior to 6.x-1.5, and all 6.x-2.x versions
* Kaltura module for Drupal 5.x prior to 5.x-1.4

Drupal core is not affected. If you do not use the Kaltura module, there is
nothing you need to do.
-------- SOLUTION
------------------------------------------------------------

Install the latest version:
* If you use Kaltura module for Drupal 5.x upgrade to Kaltura 5.x-1.4 [3]
* If you use Kaltura module for Drupal 6.x upgrade to Kaltura 6.x-1.5 [4]
* If you use Kaltura module for Drupal version 6.x-2.0 or 6.x-2.x-dev,
downgrade to Kaltura 6.x-1.5 [5]

Also see the Kaltura project page [6].
-------- REPORTED BY
---------------------------------------------------------

* Denis Slepichev [7]
* Chris Burgess [8]

-------- FIXED BY
------------------------------------------------------------

* Chris Burgess [9], the new module maintainer

-------- CONTACT
-------------------------------------------------------------

The Drupal security team [10] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://drupal.org/project/usage/kaltura
[2] http://lists.drupal.org/pipermail/development/2007-December/027921.html
[3] http://drupal.org/node/867754
[4] http://drupal.org/node/848996
[5] http://drupal.org/node/848996
[6] http://drupal.org/project/kaltura
[7] http://drupal.org/user/399704
[8] http://drupal.org/user/76026
[9] http://drupal.org/user/76026
[10] http://drupal.org/security-team

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news



  • [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-078 - Kaltura - Information disclosure, security-news, 29.07.2010

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang