[IT-SecNots] [Security-news] SA-CONTRIB-2012-006 XSS and CSRF in Multiple Modules - Supercron, Taxotouch, Admin:hover, Taxonomy Navigator no longer supported

[security-news AT drupal.org]

  * Advisory ID: DRUPAL-SA-CONTRIB-2012-006
  * Projects: SuperCron [1], Taxotouch [2], Taxonomy Navigator [3],
    Admin:hover [4] (third-party modules)
  * Version: 6.x, 7.x
  * Date: 2012-January-11
  * Security risk: Critical [5]
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting, Cross Site Request Forgery

-------- DESCRIPTION  
---------------------------------------------------------

SuperCron [6] is a complete replacement for Drupal's built-in Cron
functionality. The module is vulnerable to Cross Site Scripting. The
vulnerability is mitigated by an attacker needing to gain an account with
"access administration pages" permission.

Taxotouch [7] helps you navigate taxonomy. The module is vulnerable to Cross
Site Scripting. The vulnerability is mitigated by an attacker needing to gain
an account with the ability to create a vocabulary or taxonomy terms.

Taxonomy Navigator [8]shows terms from a vocabulary. The module is vulnerable
to Cross Site Scripting. The vulnerability is mitigated by an attacker
needing to gain an account with the ability to create a vocabulary or
taxonomy terms.

Admin:hover [9] allows admins to easily publish/unpublish nodes. The module
is vulnerable to Cross Site Request Forgeries which would allow an attacker
to trick an admin into executing enabled actions such as unpublishing all
nodes.

-------- VERSIONS AFFECTED  
---------------------------------------------------

All versions of all four modules are affected by vulnerabilities.

Drupal core is not affected. If you do not use one of the contributed modules
listed above, there is nothing you need to do.

-------- SOLUTION  
------------------------------------------------------------

Users of these modules are encouraged to disable the modules and search for
similar alternatives. Users of the module who wish to take over
maintainership should post patches to the issue queue to fix the security
issues and request maintenance following the Abandoned project process [10]

-------- REPORTED BY  
---------------------------------------------------------

  * The Supercron issue was prematurely disclosed publicly outside of the
    security issue reporting process [11]
  * Admin:hover issue reported by Ivo Van Geertruyen [12] of the Drupal
    Security Team
  * Taxotouch issue reported by Dylan Tack [13] of the Drupal Security Team
  * Taxonomy Navigator issue reported by Dylan Tack [14] of the Drupal
    Security Team

-------- FIXED BY  
------------------------------------------------------------

No fixes created.

-------- CONTACT AND MORE INFORMATION  
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [15].

Learn more about the Drupal Security team and their policies [16], writing
secure code for Drupal [17], and securing your site [18].


[1] http://drupal.org/project/supercron
[2] http://drupal.org/project/taxotouch
[3] http://drupal.org/project/taxonomy_navigator
[4] http://drupal.org/project/admin_hover
[5] http://drupal.org/security-team/risk-levels
[6] http://drupal.org/project/supercron
[7] http://drupal.org/project/taxotouch
[8] http://drupal.org/project/taxonomy_navigator
[9] http://drupal.org/project/admin_hover
[10] http://drupal.org/node/251466
[11] http://drupal.org/node/101494
[12] http://drupal.org/user/383424
[13] http://drupal.org/user/96647
[14] http://drupal.org/user/96647
[15] http://drupal.org/contact
[16] http://drupal.org/security-team
[17] http://drupal.org/writing-secure-code
[18] http://drupal.org/security/secure-configuration

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news