Drupal Ubercart Module Multiple Security Vulnerabilities
BID:53251
Info
Drupal Ubercart Module Multiple Security Vulnerabilities
| Bugtraq ID: | 53251 |
| Class: | Unknown |
| CVE: |
CVE-2012-2299 CVE-2012-2300 CVE-2012-2301 |
| Remote: | Yes |
| Local: | Yes |
| Published: | Apr 25 2012 12:00AM |
| Updated: | Nov 19 2014 12:56AM |
| Credit: | Shaun Dychko, Lee Rowlands and Dave Long |
| Vulnerable: |
Drupal Ubercart 7.x-3.0 Drupal Ubercart 6.X-2.4 Drupal Ubercart 6.X-2.1 Drupal Ubercart 6.x-2.0 |
| Not Vulnerable: |
Drupal Ubercart 7.x-3.1 Drupal Ubercart 6.x-2.8 |
Discussion
Drupal Ubercart Module Multiple Security Vulnerabilities
The Ubercart module for Drupal is prone to a cross-site-scripting vulnerability, a local information-disclosure vulnerability and a remote PHP-code-execution vulnerability.
Attackers can exploit these issues to execute arbitrary PHP code in the context of the webserver, obtain sensitive information, and steal cookie-based authentication credentials from legitimate users of the site. Other attacks are also possible.
These vulnerabilities affect the following:
Drupal Ubercart 6.x-2.x versions prior to 6.x-2.8
Drupal Ubercart 7.x-3.x versions prior to 7.x-3.1
The Ubercart module for Drupal is prone to a cross-site-scripting vulnerability, a local information-disclosure vulnerability and a remote PHP-code-execution vulnerability.
Attackers can exploit these issues to execute arbitrary PHP code in the context of the webserver, obtain sensitive information, and steal cookie-based authentication credentials from legitimate users of the site. Other attacks are also possible.
These vulnerabilities affect the following:
Drupal Ubercart 6.x-2.x versions prior to 6.x-2.8
Drupal Ubercart 7.x-3.x versions prior to 7.x-3.1
Exploit / POC
Drupal Ubercart Module Multiple Security Vulnerabilities
Attackers can exploit these issues with a browser. To exploit a cross-site scripting issue, an attacker must entice an unsuspecting user to follow a malicious URI.
Local attackers can use standard tools to exploit information-disclosure issue.
Attackers can exploit these issues with a browser. To exploit a cross-site scripting issue, an attacker must entice an unsuspecting user to follow a malicious URI.
Local attackers can use standard tools to exploit information-disclosure issue.
Solution / Fix
Drupal Ubercart Module Multiple Security Vulnerabilities
Solution:
Updates are available. Please see the references for more information.
Solution:
Updates are available. Please see the references for more information.
References
Drupal Ubercart Module Multiple Security Vulnerabilities
References:
References:
- Drupal Homepage (Drupal)
- SA-CONTRIB-2012-064 - Ubercart - Multiple vulnerabilities (Drupal)
- Ubercart Project Page (Drupal)