Core Security Advisories

Subscribe to Core Security Advisories feed
Updated: 8 min 6 sec ago

SA-CORE-2014-004 - Drupal core - Denial of service

Wed, 08/06/2014 - 1:41pm
Description

Drupal 6 and Drupal 7 include an XML-RPC endpoint which is publicly available (xmlrpc.php). The PHP XML parser used by this XML-RPC endpoint is vulnerable to an XML entity expansion attack and other related XML payload attacks which can cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections. Any of these may lead to the site becoming unavailable or unresponsive (denial of service).

All Drupal sites are vulnerable to this attack whether XML-RPC is used or not.

In addition, a similar vulnerability exists in the core OpenID module (for sites that have this module enabled).

This is a joint release as the XML-RPC vulnerability also affects WordPress (see the announcement).

CVE identifier(s) issued
  • CVE-2014-5265 has been issued for the code changes in xmlrpc.inc which prevent entity declarations and therefore address the "vulnerable to an XML entity expansion attack ... can cause CPU and memory exhaustion" concern.
  • CVE-2014-5266 has been issued for the "Skip parsing if there is an unreasonably large number of tags" in both xmlrpc.inc and xrds.inc.
  • CVE-2014-5267 has been issued for the code change to reject any XRDS document with a /<!DOCTYPE/i match.
Versions affected
  • Drupal core 7.x versions prior to 7.31.
  • Drupal core 6.x versions prior to 6.33.
Solution

Install the latest version:

If you are unable to install the latest version of Drupal immediately, you can alternatively remove the xmlrpc.php file from the root of Drupal core (or add a rule to .htaccess to prevent access to xmlrpc.php) and disable the OpenID module. These steps are sufficient to mitigate the vulnerability in Drupal core if your site does not require the use of XML-RPC or OpenID functionality. However, this mitigation will not be effective if you are using a contributed module that exposes Drupal's XML-RPC API at a different URL (for example, the Services module); updating Drupal core is therefore strongly recommended.

Also see the Drupal core project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 6.xDrupal 7.x

SA-CORE-2014-003 - Drupal core - Multiple vulnerabilities

Wed, 07/16/2014 - 10:48am
  • Advisory ID: DRUPAL-SA-CORE-2014-003
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2014-July-16
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

Denial of service with malicious HTTP Host header (Base system - Drupal 6 and 7 - Critical)

Drupal core's multisite feature dynamically determines which configuration file to use based on the HTTP Host header.

The HTTP Host header validation does not sufficiently check maliciously-crafted header values, thereby exposing a denial of service vulnerability. This vulnerability also affects sites that don't actually use the multisite feature.

Access bypass (File module - Drupal 7 - Critical)

The File module included in Drupal 7 core allows attaching files to pieces of content. The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files.

This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field.

Note: The Drupal 6 FileField module is affected by a similar issue (see SA-CONTRIB-2014-071 - FileField - Access bypass) and requires an update to the current security release of Drupal 6 core in order for the fix released there to work correctly. However, Drupal 6 core itself is not directly affected.

Cross-site scripting (Form API option groups - Drupal 6 and 7 - Moderately critical)

A cross-site scripting vulnerability was found due to Drupal's form API failing to sanitize option group labels in select elements. This vulnerability affects Drupal 6 core directly, and likely affects Drupal 7 forms provided by contributed or custom modules.

This vulnerability is mitigated by the fact that it requires the "administer taxonomy" permission to exploit in Drupal 6 core, and there is no known exploit within Drupal 7 core itself.

Cross-site scripting (Ajax system - Drupal 7 - Moderately critical)

A reflected cross-site scripting vulnerability was found in certain forms containing a combination of an Ajax-enabled textfield (for example, an autocomplete field) and a file field.

This vulnerability is mitigated by the fact that an attacker can only trigger the attack in a limited set of circumstances, usually requiring custom or contributed modules.

CVE identifier(s) issued
  • Denial of service (Base system - Drupal 6 and 7 - Critical): CVE-2014-5019
  • Access bypass (File module - Drupal 7 - Critical): CVE-2014-5020
  • Cross-site scripting (Form API - Drupal 6 and 7 - Moderately critical): CVE-2014-5021
  • Cross-site scripting (Ajax system - Drupal 7 - Moderately critical): CVE-2014-5022
Versions affected
  • Drupal core 6.x versions prior to 6.32.
  • Drupal core 7.x versions prior to 7.29.
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by
  • The denial of service vulnerability using malicious HTTP Host headers was reported by Régis Leroy.
  • The access bypass vulnerability in the File module was reported by Ivan Ch.
  • The cross-site scripting vulnerability with Form API option groups was reported by Károly Négyesi.
  • The cross-site scripting vulnerability in the Ajax system was reported by mani22test.
Fixed by
  • The denial of service vulnerability using malicious HTTP Host headers was fixed by Régis Leroy, and by Klaus Purer of the Drupal Security Team.
  • The access bypass vulnerability in the File module was fixed by Nate Haug and Ivan Ch, and by Drupal Security Team members David Rothstein, Heine Deelstra and David Snopek.
  • The cross-site scripting vulnerability with Form API option groups was fixed by Greg Knaddison of the Drupal Security Team.
  • The cross-site scripting vulnerability in the Ajax system was fixed by Neil Drumm of the Drupal Security Team.
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

SA-CORE-2014-002 - Drupal core - Information Disclosure

Wed, 04/16/2014 - 3:50pm
  • Advisory ID: DRUPAL-SA-CORE-2014-002
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2014-April-16
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure
Description

Drupal's form API has built-in support for temporary storage of form state, for example user input. This is often used on multi-step forms, and is required on Ajax-enabled forms in order to allow the Ajax calls to access and update interim user input on the server.

When pages are cached for anonymous users (either by Drupal or by an external system), form state may leak between anonymous users. As a consequence there is a chance that interim form input recorded for one anonymous user (which may include sensitive or private information, depending on the nature of the form) will be disclosed to other users interacting with the same form at the same time. This especially affects multi-step Ajax forms because the window of opportunity (i.e. the time span between user input and final form submission) is indeterminable.

This vulnerability is mitigated by the fact that Drupal core does not expose any such forms to anonymous users by default. However, contributed modules or individual sites which leverage the Drupal Form API under the aforementioned conditions might be vulnerable.

Note: This security release introduces small API changes which may require code updates on sites that expose Ajax or multi-step forms to anonymous users, and where the forms are displayed on pages that are cached (either by Drupal or by an external system). See the Drupal 6.31 release notes and Drupal 7.27 release notes for more information.

CVE identifier(s) issued
  • CVE-2014-2983
Versions affected
  • Drupal core 6.x versions prior to 6.31.
  • Drupal core 7.x versions prior to 7.27.
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

SA-CORE-2014-001 - Drupal core - Multiple vulnerabilities

Wed, 01/15/2014 - 2:33pm
  • Advisory ID: DRUPAL-SA-CORE-2014-001
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2014-January-15
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

Impersonation (OpenID module - Drupal 6 and 7 - Highly critical)

A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts.

This vulnerability is mitigated by the fact that the malicious user must have an account on the site (or be able to create one), and the victim must have an account with one or more associated OpenID identities.

Access bypass (Taxonomy module - Drupal 7 - Moderately critical)

The Taxonomy module provides various listing pages which display content tagged with a particular taxonomy term. Custom or contributed modules may also provide similar lists. Under certain circumstances, unpublished content can appear on these pages and will be visible to users who should not have permission to see it.

This vulnerability is mitigated by the fact that it only occurs on Drupal 7 sites which upgraded from Drupal 6 or earlier.

Security hardening (Form API - Drupal 7 - Not critical)

The form API provides a method for developers to submit forms programmatically using the function drupal_form_submit(). During programmatic form submissions, all access checks are deliberately bypassed, and any form element may be submitted regardless of the current user's access level.

This is normal and expected behavior for most uses of programmatic form submissions; however, there are cases where custom or contributed code may need to send data provided by the current (untrusted) user to drupal_form_submit() and therefore need to respect access control on the form.

To facilitate this, a new, optional $form_state['programmed_bypass_access_check'] element has been added to the Drupal 7 form API. If this is provided and set to FALSE, drupal_form_submit() will perform the normal form access checks against the current user while submitting the form, rather than bypassing them.

This change does not fix a security issue in Drupal core itself, but rather provides a method for custom or contributed code to fix security issues that would be difficult or impossible to fix otherwise.

CVE identifier(s) issued
  • Impersonation (OpenID module - Drupal 6 and 7 - Highly critical): CVE-2014-1475
  • Access bypass (Taxonomy module - Drupal 7 - Moderately critical): CVE-2014-1476
  • Security hardening (Form API - Drupal 7 - Not critical): No CVE necessary.
Versions affected
  • Drupal core 6.x versions prior to 6.30.
  • Drupal core 7.x versions prior to 7.26.
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by
  • The OpenID module impersonation issue was reported by Christian Mainka and Vladislav Mladenov.
  • The Taxonomy module access bypass issue was reported by Matt Vance, and by Damien Tournoud of the Drupal Security Team.
  • The form API access bypass issue was reported by David Rothstein of the Drupal Security Team.
Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

SA-CORE-2013-003 - Drupal core - Multiple vulnerabilities

Wed, 11/20/2013 - 3:41pm
  • Advisory ID: DRUPAL-SA-CORE-2013-003
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2013-November-20
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation - Drupal 6 and 7)

Drupal's form API has built-in cross-site request forgery (CSRF) validation, and also allows any module to perform its own validation on the form. In certain common cases, form validation functions may execute unsafe operations. Given that the CSRF protection is an especially important validation, the Drupal core form API has been changed in this release so that it now skips subsequent validation if the CSRF validation fails.

This vulnerability is mitigated by the fact that a form validation callback with potentially unsafe side effects must be active on the site, and none exist in core. However, issues were discovered in several popular contributed modules which allowed remote code execution that made it worthwhile to fix this issue in core. Other similar issues with varying impacts are likely to have existed in other contributed modules and custom modules and therefore will also be fixed by this Drupal core release.

Multiple vulnerabilities due to weakness in pseudorandom number generation using mt_rand() (Form API, OpenID and random password generation - Drupal 6 and 7)

Drupal core directly used the mt_rand() pseudorandom number generator for generating security related strings used in several core modules. It was found that brute force tools could determine the seeds making these strings predictable under certain circumstances.

This vulnerability has no mitigation; all Drupal sites are affected until the security update has been applied.

Code execution prevention (Files directory .htaccess for Apache - Drupal 6 and 7)

Drupal core attempts to add a "defense in depth" protection to prevent script execution by placing a .htaccess file into the files directories that stops execution of PHP scripts on the Apache web server. This protection is only necessary if there is a vulnerability on the site or on a server that allows users to upload malicious files. The configuration in the .htaccess file did not prevent code execution on certain Apache web server configurations. This release includes new configuration to prevent PHP execution on several additional common Apache configurations. If you are upgrading a site and the site is run by Apache you must fix the file manually, as described in the "Solution" section below.

This vulnerability is mitigated by the fact that it only relates to a defense in depth mechanism, and sites would only be vulnerable if they are hosted on a server which contains code that does not use protections similar to those found in Drupal's file API to manage uploads in a safe manner.

Access bypass (Security token validation - Drupal 6 and 7)

The function drupal_valid_token() can return TRUE for invalid tokens if the caller does not make sure that the token is a string.

This vulnerability is mitigated by the fact that a contributed or custom module must invoke drupal_validate_token() with an argument that can be manipulated to not be a string by an attacker. There is currently no known core or contributed module that would suffer from this vulnerability.

Cross-site scripting (Image module - Drupal 7)

Image field descriptions are not properly sanitized before they are printed to HTML, thereby exposing a cross-site scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a permission to administer field descriptions, for example the "administer taxonomy" permission to edit fields on taxonomy terms.

Cross-site scripting (Color module - Drupal 7)

A cross-site scripting vulnerability was found in the Color module. A malicious attacker could trick an authenticated administrative user into visiting a page containing specific JavaScript that could lead to a reflected cross-site scripting attack via JavaScript execution in CSS.

This vulnerability is mitigated by the fact that it can only take place in older browsers, and in a restricted set of modern browsers, namely Opera through user interaction, and Internet Explorer under certain conditions.

Open redirect (Overlay module - Drupal 7)

The Overlay module displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module did not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability.

This vulnerability is mitigated by the fact that it can only be used against site users who have the "Access the administrative overlay" permission.

CVE identifier(s) issued
  • Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation): CVE-2013-6385
  • Multiple vulnerabilities due to weakness in pseudorandom number generation using mt_rand() (Form API, OpenID and random password generation - Drupal 6 and 7): CVE-2013-6386
  • Code execution prevention (Files directory .htaccess for Apache - Drupal 6 and 7): No CVE; considered remediated through "security hardening"
  • Access bypass (Security token validation - Drupal 6 and 7): No CVE; considered remediated through "security hardening."
  • Cross-site scripting (Image module - Drupal 7): CVE-2013-6387
  • Cross-site scripting (Color module - Drupal 7): CVE-2013-6388
  • Open redirect (Overlay module - Drupal 7): CVE-2013-6389
Versions affected
  • Drupal core 6.x versions prior to 6.29.
  • Drupal core 7.x versions prior to 7.24.
Solution

Install the latest version:

Also see the Drupal core project page.

Warning: Fixing the code execution prevention may require server configuration; please read:

To fix the code execution prevention vulnerability on existing Apache installations also requires changes to your site's .htaccess files in the files directories. Until you do this, your site's status report page at admin/reports/status will display error messages about the problem. Please note that if you are using a different web server such as Nginx the .htaccess files have no effect and you need to configure PHP execution protection yourself in the respective server configuration files.

To fix this issue, you must edit or replace the old .htaccess files manually. Copies of the .htaccess files are found in the site's files directory and temporary files directory, and (for Drupal 7 only) the separate private files directory if your site is configured to use one. To find the location of these directories, consult the error messages at admin/reports/status, or visit the file system configuration page at admin/settings/file-system (Drupal 6) or admin/config/media/file-system (Drupal 7). Note that you should only make changes to the .htaccess files that are found in the directories specified on that page. Do not change the top-level .htaccess file (at the root of your Drupal installation).

Go onto your server, navigate to each directory, and replace or create the .htaccess file in this directory with the contents described below. Alternatively, you can remove the .htaccess file from each directory using SFTP or SSH and then visit the file system configuration page (admin/settings/file-system in Drupal 6 or admin/config/media/file-system in Drupal 7) and click the save button to have Drupal create the file automatically.

The recommended .htaccess file contents are as follows.

For Drupal 6:

# Turn off all options we don't need.
Options None
Options +FollowSymLinks

# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
  # Override the handler again if we're run later in the evaluation list.
  SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>

# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php5.c>
  php_flag engine off
</IfModule>
# PHP 4, Apache 1.
<IfModule mod_php4.c>
  php_flag engine off
</IfModule>
# PHP 4, Apache 2.
<IfModule sapi_apache2.c>
  php_flag engine off
</IfModule>

For Drupal 7:

# Turn off all options we don't need.
Options None
Options +FollowSymLinks

# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
  # Override the handler again if we're run later in the evaluation list.
  SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>

# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php5.c>
  php_flag engine off
</IfModule>

Additionally, the .htaccess of the temporary files directory and private files directory (if used) should include this command:

Deny from all Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 6.xDrupal 7.x

SA-CORE-2013-002 - Drupal core - Denial of service

Wed, 02/20/2013 - 3:50pm
  • Advisory ID: DRUPAL-SA-CORE-2013-002
  • Project: Drupal core
  • Version: 7.x
  • Date: 2013-February-20
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Denial of service
Description

Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load. Either of these effects may lead to the site becoming unavailable or unresponsive.

Please see the Drupal 7.20 release notes for important notes about the changes which were made to fix this issue, since some sites will require extra testing and care when deploying this Drupal core release.

CVE identifier(s) issued
  • CVE-2013-0316
Versions affected
  • Drupal core 7.x versions prior to 7.20.
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 6.xDrupal 7.x

SA-CORE-2013-001 - Drupal core - Multiple vulnerabilities

Wed, 01/16/2013 - 5:07pm
  • Advisory ID: DRUPAL-SA-CORE-2013-001
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2013-January-16
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting, Access bypass
Description

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

Cross-site scripting (Various core and contributed modules - Drupal 6 and 7)

A reflected cross-site scripting vulnerability (XSS) was identified in certain Drupal JavaScript functions that pass unexpected user input into jQuery causing it to insert HTML into the page when the intended behavior is to select DOM elements. Multiple core and contributed modules are affected by this issue.

jQuery versions 1.6.3 and higher provide protection against common forms of this problem; thus, the vulnerability is mitigated if your site has upgraded to a recent version of jQuery. However, the versions of jQuery that are shipped with Drupal 6 and Drupal 7 core do not contain this protection.

Although the fix added to Drupal as part of this security release prevents the most common forms of this issue in the same way as newer versions of jQuery do, developers should be aware that passing untrusted user input directly to jQuery functions such as jQuery() and $() is unsafe and should be avoided.

CVE: CVE-2013-0244 (a CVE was also separately issued for jQuery)

Access bypass (Book module printer friendly version - Drupal 6 and 7)

A vulnerability was identified that exposes the title or, in some cases, the content of nodes that the user should not have access to.

This vulnerability is mitigated by the fact that the bypass is only accessible to users who already have the 'access printer-friendly version' permission (which is not granted to Anonymous or Authenticated users by default) and it only affects nodes that are part of a book outline.

CVE: CVE-2013-0245

Access bypass (Image module - Drupal 7)

Drupal core provides the ability to have private files, including images. A vulnerability was identified in which derivative images (which Drupal automatically creates from these images based on "image styles" and which may differ, for example, in size or saturation) did not always receive the same protection. Under some circumstances, this would allow users to access image derivatives for images they should not be able to view.

This vulnerability is mitigated by the fact that it only affects sites which use the Image module and which store images in a private file system.

CVE: CVE-2013-0246

CVE identifier(s) issued
  • CVE-2013-0244
  • CVE-2013-0245
  • CVE-2013-0246
Versions affected
  • Drupal core 6.x versions prior to 6.28.
  • Drupal core 7.x versions prior to 7.19.
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 6.xDrupal 7.x

SA-CORE-2012-004 - Drupal core - Multiple vulnerabilities

Wed, 12/19/2012 - 1:46pm
  • Advisory ID: DRUPAL-SA-CORE-2012-004
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2012-December-19
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass, Arbitrary PHP code execution
Description

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

Access bypass (User module search - Drupal 6 and 7)

A vulnerability was identified that allows blocked users to appear in user search results, even when the search results are viewed by unprivileged users.

This vulnerability is mitigated by the fact that the default Drupal core user search results only display usernames (and disclosure of usernames is not considered a security vulnerability). However, since modules or themes may override the search results to display more information from each user's profile, this could result in additional information about blocked users being disclosed on some sites.

Access bypass (Upload module - Drupal 6)

A vulnerability was identified that allows information about uploaded files to be displayed in RSS feeds and search results to users that do not have the "view uploaded files" permission.

This issue affects Drupal 6 only.

Arbitrary PHP code execution (File upload modules - Drupal 6 and 7)

Drupal core's file upload feature blocks the upload of many files that can be executed on the server by munging the filename. A malicious user could name a file in a manner that bypasses this munging of the filename in Drupal's input validation.

This vulnerability is mitigated by several factors: The attacker would need the permission to upload a file to the server. Certain combinations of PHP and filesystems are not vulnerable to this issue, though we did not perform an exhaustive review of the supported PHP versions. Finally: the server would need to allow execution of files in the uploads directory. Drupal core has protected against this with a .htaccess file protection in place from SA-2006-006 - Drupal Core - Execution of arbitrary files in certain Apache configurations. Users of IIS should consider updating their web.config. Users of Nginx should confirm that only the index.php and other known good scripts are executable. Users of other webservers should review their configuration to ensure the goals are achieved in some other way.

CVE identifier(s) issued
  • Access bypass (User module search - Drupal 6 and 7): CVE-2012-5651
  • Access bypass (Upload module - Drupal 6): CVE-2012-5652
  • Arbitrary PHP code execution (File upload modules - Drupal 6 and 7): CVE-2012-5653
Versions affected
  • Drupal core 6.x versions prior to 6.27.
  • Drupal core 7.x versions prior to 7.18.
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by
  • The access bypass issue in the User module search results was reported by Derek Wright of the Drupal Security Team.
  • The access bypass issue in the Drupal 6 Upload module was reported by Simon Rycroft, and by Damien Tournoud of the Drupal Security Team.
  • The arbitrary code execution issue was reported by Amit Asaravala.
Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 6.xDrupal 7.x

SA-CORE-2012-003 - Drupal core - Arbitrary PHP code execution and Information disclosure

Wed, 10/17/2012 - 5:29pm
  • Advisory ID: DRUPAL-SA-CORE-2012-003
  • Project: Drupal core
  • Version: 7.x
  • Date: 2012-October-17
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure, Arbitrary PHP code execution
Description

Multiple vulnerabilities were discovered in Drupal core.

Arbitrary PHP code execution

A bug in the installer code was identified that allows an attacker to re-install Drupal using an external database server under certain transient conditions. This could allow the attacker to execute arbitrary PHP code on the original server.

This vulnerability is mitigated by the fact that the re-installation can only be successful if the site's settings.php file or sites directories are writeable by or owned by the webserver user. Configuring the Drupal installation to be owned by a different user than the webserver user (and not to be writeable by the webserver user) is a recommended security best practice. However, in all cases the transient conditions expose information to an attacker who accesses install.php, and therefore this security update should be applied to all Drupal 7 sites.

CVE: CVE-2012-4553

Information disclosure - OpenID module

For sites using the core OpenID module, an information disclosure vulnerability was identified that allows an attacker to read files on the local filesystem by attempting to log in to the site using a malicious OpenID server.

CVE: CVE-2012-4554

Versions affected
  • Drupal core 7.x versions prior to 7.16.

Drupal 6 is not affected.

Solution

Install the latest version:

If you are unable to deploy the security release immediately, removing or blocking access to install.php is a sufficient mitigation step for the arbitrary PHP code execution vulnerability.

Also see the Drupal core project page.

Reported by
  • The arbitrary PHP code execution vulnerability was reported by Heine Deelstra and Noam Rathaus working with Beyond Security's SecuriTeam Secure Disclosure Program. Heine Deelstra is also a member of the Drupal Security Team.
  • The information disclosure vulnerability in the OpenID module was reported by Reginaldo Silva.
Fixed by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 7.x

SA-CORE-2012-002 - Drupal core multiple vulnerabilities

Wed, 05/02/2012 - 11:17am
  • Advisory ID: DRUPAL-SA-CORE-2012-002
  • Project: Drupal core
  • Version: 7.x
  • Date: 2012-May-2
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Denial of Service, Access bypass, Unvalidated form redirect
Description Denial of Service

CVE: CVE-2012-1588

Drupal core's text filtering system provides several features including removing inappropriate HTML tags and automatically linking content that appears to be a link. A pattern in Drupal's text matching was found to be inefficient with certain specially crafted strings. This vulnerability is mitigated by the fact that users must have the ability to post content sent to the filter system such as a role with the "post comments" or "Forum topic: Create new content" permission.

Unvalidated form redirect

CVE: CVE-2012-1589

Drupal core's Form API allows users to set a destination, but failed to validate that the URL was internal to the site. This weakness could be abused to redirect the login to a remote site with a malicious script that harvests the login credentials and redirects to the live site. This vulnerability is mitigated only by the end user's ability to recognize a URL with malicious query parameters to avoid the social engineering required to exploit the problem.

Access bypass - forum listing

CVE: CVE-2012-1590

Drupal core's forum lists fail to check user access to nodes when displaying them in the forum overview page. If an unpublished node was the most recently updated in a forum then users who should not have access to unpublished forum posts were still be able to see meta-data about the forum post such as the post title.

Access bypass - private images

CVE: CVE-2012-1591

Drupal core provides the ability to have private files, including images, and Image Styles which create derivative images from an original image that may differ, for example, in size or saturation. Drupal core failed to properly terminate the page request for cached image styles allowing users to access image derivatives for images they should not be able to view. Furthermore, Drupal didn't set the right headers to prevent image styles from being cached in the browser.

Access bypass - content administration

CVE: CVE-2012-2153

Drupal core provides the ability to list nodes on a site at admin/content. Drupal core failed to confirm a user viewing that page had access to each node in the list. This vulnerability only concerns sites running a contributed node access module and is mitigated by the fact that users must have a role with the "Access the content overview page" permission. Unpublished nodes were not displayed to users who only had the "Access the content overview page" permission.

Versions affected
  • Drupal core 7.x versions prior to 7.13.
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by
  • The Denial of Service vulnerability was reported by Jay Wineinger and Lin Clark.
  • The unvalidated form redirect vulnerability was reported by Károly Négyesi of the Drupal Security Team and Katsuhiko Nakanishi.
  • The access bypass in forum listing vulnerability was reported by Glen W.
  • The access bypass for private images vulnerability was reported by frega, Andreas Gonell, Jeremy Meier and Xenza.
  • The access bypass for the content administration vulnerability was reported by Jennifer Hodgdon.
Fixed by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 7.x

SA-CORE-2012-001 - Drupal core multiple vulnerabilities

Wed, 02/01/2012 - 5:06pm
  • Advisory ID: DRUPAL-SA-CORE-2012-001
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2012-February-01
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities
Description Cross Site Request Forgery vulnerability in Aggregator module

CVE: CVE-2012-0826
An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service.

This issue affects Drupal 6.x and 7.x.

OpenID not verifying signed attributes in SREG and AX

CVE: CVE-2012-0825
A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users' information.

This issue affects Drupal 6.x and 7.x.

Access bypass in File module

CVE: CVE-2012-0827
When using private files in combination with certain field access modules, the File module will allow users to download the file even if they do not have access to view the field it was attached to.

This issue affects Drupal 7.x only.

Versions affected
  • Drupal 6.x core prior to 6.23.
  • Drupal 7.x core prior to 7.11.
Solution

Install the latest version:

  • If you use Drupal 6.x upgrade to 6.23
  • If you use Drupal 7.x upgrade to 7.11

See also the Drupal core project page.

Reported by Fixed by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 6.xDrupal 7.x

SA-CORE-2011-003 - Drupal core - Access bypass

Wed, 07/27/2011 - 3:32pm
  • Advisory ID: DRUPAL-SA-CORE-2011-003
  • Project: Drupal core
  • Version: 7.x
  • Date: 2011-July-27
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

CVE: CVE-2011-2726

Access bypass in private file fields on comments.

Drupal 7 contains two new features: the ability to attach File upload fields to any entity type in the system and the ability to point individual File upload fields to the private file directory.

If a Drupal site is using these features on comments, and the parent node is denied access (either by a node access module or by being unpublished), the file attached to the comment can still be downloaded by non-privileged users if they know or guess its direct URL.

This issue affects Drupal 7.x only.

Versions affected
  • Drupal 7.x before version 7.5.
Solution

Install the latest version:

  • If you are running Drupal 7.x then upgrade to Drupal 7.5 or 7.6 7.7.

The Security Team has released both a pure security update without other bug fixes and a security update combined with other bug fixes and improvements. You can choose to either only include the security update for an immediate fix (which might require less quality assurance and testing) or more fixes and improvements alongside the security fixes by choosing between Drupal 7.5 and Drupal 7.6 7.7. Read the announcement for more information.

See also the Drupal core project page.

Reported by Fixed by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 7.x

SA-CORE-2011-002 - Drupal core - Access bypass

Wed, 06/29/2011 - 8:13pm
  • Advisory ID: DRUPAL-SA-CORE-2011-002
  • Project: Drupal core
  • Version: 7.x
  • Date: 2011-JUNE-29
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

CVE: CVE-2011-2687

Access bypass in node listings

Listings showing nodes but not JOINing the node table show all nodes regardless of restrictions imposed by the node_access system. In core, this affects the taxonomy and the forum subsystem.

This issue only affects sites using a node access module such as content access or forum access. If you do not use any node access system then your site is not affected by this vulnerability. It is still considered a best practice to run the latest release and all site owners are encouraged to upgrade when they can regardless of whether or not they are affected.

Note that fixing this issue in contributed modules requires a backwards-compatible API change for modules listing nodes. See http://drupal.org/node/1204572 for more details.

This issue affects Drupal 7.x only.

Versions affected
  • Drupal 7.0, 7.1 and 7.2.
Solution

Install the latest version:

  • If you are running Drupal 7.x then upgrade to Drupal 7.3 or 7.4.

The Security Team has released both a pure security update without other bug fixes and a security update combined with other bug fixes and improvements. You can choose to either only include the security update for an immediate fix (which might require less quality assurance and testing) or more fixes and improvements alongside the security fixes by choosing between Drupal 7.3 and Drupal 7.4. Read the announcement for more information.

See also the Drupal core project page.

Reported by Fixed by
  • The access bypass was fixed by Károly Négyesi, member of the Drupal security team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 7.x

SA-CORE-2011-001 - Drupal core - Multiple vulnerabilities

Wed, 05/25/2011 - 2:07pm
  • Advisory ID: DRUPAL-SA-CORE-2011-001
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2011-May-25
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass, Cross Site Scripting
Description

CVE: CVE-2011-2687

Multiple vulnerabilities and weaknesses were discovered in Drupal.

Reflected cross site scripting vulnerability in error handler

A reflected cross site scripting vulnerability was discovered in Drupal's error handler. Drupal displays PHP errors in the messages area, and a specially crafted URL can cause malicious scripts to be injected into the message. The issue can be mitigated by disabling on-screen error display at admin/settings/error-reporting. This is the recommended setting for production sites.

This issue affects Drupal 6.x only.

Cross site scripting vulnerability in Color module

When using re-colorable themes, color inputs are not sanitized. Malicious color values can be used to insert arbitrary CSS and script code. Successful exploitation requires the "Administer themes" permission.

This issue affects Drupal 6.x and 7.x.

Access bypass in File module

When using private files in combination with a node access module, the File module allows unrestricted access to private files.

This issue affects Drupal 7.x only.

Versions affected
  • Drupal 7.x before version 7.1.
  • Drupal 6.x before version 6.21.
Solution

Install the latest version:

  • If you are running Drupal 7.x then upgrade to Drupal 7.1 or 7.2.
  • If you are running Drupal 6.x then upgrade to Drupal 6.21 or 6.22.

The Security Team has released both a pure security update without other bug fixes and a security update combined with other bug fixes and improvements. You can choose to either only include the security update for an immediate fix (which might require less quality assurance and testing) or more fixes and improvements alongside the security fixes by choosing between Drupal 7.1 and Drupal 7.2 or Drupal 6.21 and Drupal 6.22.

See the release announcement for more information.

See also the Drupal core project page.

Reported by
  • The reflected cross site scripting vulnerability was reported by Heine Deelstra (*).
  • The Color module cross site scripting vulnerability was reported by Kasper Lindgaard, Secunia Research.
  • The File access bypass was reported by Hubert Lecorche, and Peter Bex.
Fixed by

(*) Member of the Drupal security team.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 6.xDrupal 7.x

SA-CORE-2010-002 - Drupal core - Multiple vulnerabilities

Wed, 08/11/2010 - 3:53pm
  • Advisory ID: DRUPAL-SA-CORE-2010-002
  • Project: Drupal core
  • Version: 5.x, 6.x
  • Date: 2010-August-11
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description

Multiple vulnerabilities and weaknesses were discovered in Drupal.

OpenID authentication bypass

The OpenID module provides users the ability to login to sites using an OpenID account.

The OpenID module doesn't implement all the required verifications from the OpenID 2.0 protocol and is vulnerable to a number of attacks.

Specifically:
- OpenID should verify that a "openid.response_nonce" has not already been used for an assertion by the OpenID provider
- OpenID should verify the value of openid.return_to as obtained from the OpenID provider
- OpenID must verify that all fields that are required to be signed are signed

These specification violations allow malicious sites to harvest positive assertions from OpenID providers and use them on sites using the OpenID module to obtain access to preexisting accounts bound to the harvested OpenIDs. Intercepted assertions from OpenID providers can also be replayed and used to obtain access to user accounts bound to the intercepted OpenIDs.

This issue affects Drupal 6.x only. A separate security announcement and release is published for the contributed OpenID module for Drupal 5.x.

File download access bypass

The upload module allows users to upload files and provides access checking for file downloads.

The module looks up files for download in the database and serves them for download after access checking. However, it does not account for the fact that certain database configurations will not consider case differences in file names. If a malicious user uploads a file which only differs in letter case, access will be granted for the earlier upload regardless of actual file access to that.

This issue affects Drupal 5.x and 6.x.

Comment unpublishing bypass

The comment module allows users to leave comments on content on the site.

The module supports unpublishing comments by privileged users. Users with the "post comments without approval" permission however could craft a URL which allows them to republish previously unpublished comments.

This issue affects Drupal 5.x and 6.x.

Actions cross site scripting

The actions feature combined with Drupal's trigger module allows users to configure certain actions to happen when users register, content is submitted, and so on; through a web based interface.

Users with "administer actions permission" can enter action descriptions and messages which are not properly filtered on output. Users with content and taxonomy tag submission permissions can create nodes and taxonomy terms which are not properly sanitized for inclusion in action messages and inject arbitrary HTML and script code into Drupal pages. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting (XSS).

This issue affects Drupal 6.x only.

Versions affected
  • Drupal 6.x before version 6.18 or 6.19.
  • Drupal 5.x before version 5.23.
Solution

Install the latest version:

Drupal 5 will no longer be maintained when Drupal 7 is released. Upgrading to Drupal 6 is recommended.

The security team starts a new practice of releasing both a pure security update without other bugfixes and a security update combined with other bug fixes and improvements. You can choose to either only include the security update for an immediate fix (which might require less quality assurance and testing) or more fixes and improvements alongside the security fixes by choosing between Drupal 6.18 and Drupal 6.19. Read the announcement for more information.

Reported by

The OpenID authentication bypass issues were reported by Johnny Bufu, Christian Schmidt and Heine Deelstra (*).
The file download access bypass was reported by Wolfgang Ziegler.
The comment unpublish bypass issue was reported by Heine Deelstra (*).
The actions module cross site scripting was reported by Justin Klein Keane and Heine Deelstra (*).

(*) Member of the Drupal security team.

Fixed by

The OpenID authentication issues were fixed by Christian Schmidt, Heine Deelstra (*) and Damien Tournoud (*).
The file download access bypass was fixed by Dave Reid (*) and Neil Drumm (*).
The comment unpublish bypass issue was fixed by Heine Deelstra (*).
The actions module cross site scripting was fixed by Justin Klein Keane and Heine Deelstra (*).

(*) Member of the Drupal security team.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 5.xDrupal 6.x

SA-CORE-2010-001 - Drupal core - Multiple vulnerabilities

Wed, 03/03/2010 - 2:31pm
  • Advisory ID: DRUPAL-SA-CORE-2010-001
  • Project: Drupal core
  • Version: 5.x, 6.x
  • Date: 2010-March-03
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting, Open redirect, Authorization vulnerability
Description

Multiple vulnerabilities and weaknesses were discovered in Drupal.

Installation cross site scripting

A user-supplied value is directly output during installation allowing a malicious user to craft a URL and perform a cross-site scripting attack. The exploit can only be conducted on sites not yet installed.

This issue affects Drupal 6.x only.

Open redirection

The API function drupal_goto() is susceptible to a phishing attack. An attacker could formulate a redirect in a way that gets the Drupal site to send the user to an arbitrarily provided URL. No user submitted data will be sent to that URL.

This issue affects Drupal 5.x and 6.x.

Locale module cross site scripting

Locale module and dependent contributed modules do not sanitize the display of language codes, native and English language names properly. While these usually come from a preselected list, arbitrary administrator input is allowed. This vulnerability is mitigated by the fact that the attacker must have a role with the 'administer languages' permission.

This issue affects Drupal 5.x and 6.x.

Blocked user session regeneration

Under certain circumstances, a user with an open session that is blocked can maintain his/her session on the Drupal site, despite being blocked.

This issue affects Drupal 5.x and 6.x.

Versions affected
  • Drupal 6.x before version 6.16.
  • Drupal 5.x before version 5.22.
Solution

Install the latest version:

  • If you are running Drupal 6.x then upgrade to Drupal 6.16.
  • If you are running Drupal 5.x then upgrade to Drupal 5.22.

Drupal 5 will no longer be maintained when Drupal 7 is released. Upgrading to Drupal 6 is recommended.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. These patches fix the security vulnerabilities, but do not contain other fixes which were released in Drupal 6.16 or Drupal 5.22.

Reported by

The installation cross site scripting issue was reported by David Rothstein (*).
The open redirection was reported by Martin Barbella.
The locale module cross site scripting was reported by Justin Klein Keane.
The blocked user session regeneration issue was reported by Craig A. Hancock.

(*) Member of the Drupal security team.

Fixed by

The installation cross site scripting issue was fixed by Heine Deelstra.
The open redirection was fixed by Gerhard Killesreiter and Heine Deelstra.
The locale module cross site scripting was fixed by Stéphane Corlosquet, Peter Wolanin, Heine Deelstra and Neil Drumm.
The blocked user session regeneration issue was fixed by Gerhard Killesreiter.

All the fixes were done by members of the Drupal security team.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Front page news: Drupal NewsDrupal version: Drupal 5.xDrupal 6.x

SA-CORE-2009-009 - Drupal Core - Cross site scripting

Wed, 12/16/2009 - 4:17pm
  • Advisory ID: DRUPAL-SA-CORE-2009-009
  • Project: Drupal core
  • Version: 5.x, 6.x
  • Date: 2009-December-16
  • Security risk: Not critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting
Description

Multiple vulnerabilities were discovered in Drupal.

Contact category name cross-site scripting

The Contact module does not correctly handle certain user input when displaying category information. Users privileged to create contact categories can insert arbitrary HTML and script code into the contact module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting (XSS).

This issue affects Drupal 6.x and Drupal 5.x.

Menu description cross-site scripting

The Menu module does not correctly handle certain user input when displaying the menu administration overview. Users privileged to create new menus can insert arbitrary HTML and script code into the menu module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting (XSS).

This issue affects Drupal 6.x only.

Versions affected
  • Drupal 5.x before version 5.21.
  • Drupal 6.x before version 6.15.
Solution

Install the latest version:

  • If you are running Drupal 6.x then upgrade to Drupal 6.15.
  • If you are running Drupal 5.x then upgrade to Drupal 5.21.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. Theses patches fix the security vulnerability, but do not contain other fixes which were released in Drupal 5.21 or Drupal 6.15.

Reported by

The contact category XSS issue was independently reported by mr.baileys and Justin Klein Keane.
The menu description XSS issue was reported by mr.baileys.

Fixed by

The contact category XSS issue was fixed by Justin Klein Keane and Dave Reid.
The menu description XSS issue was fixed by Gábor Hojtsy and Heine Deelstra.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 5.xDrupal 6.x

SA-CORE-2009-008 - Drupal core - Multiple vulnerabilities

Wed, 09/16/2009 - 3:39pm
  • Advisory ID: DRUPAL-SA-CORE-2009-008
  • Project: Drupal core
  • Version: 5.x, 6.x
  • Date: 2009-September-16
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description

Multiple vulnerabilities and weaknesses were discovered in Drupal.

OpenID association cross site request forgeries

The OpenID module in Drupal 6 allows users to create an account or log into a Drupal site using one or more OpenID identities.

The core OpenID module does not correctly implement Form API for the form that allows one to link user accounts with OpenID identifiers. A malicious user is therefore able to use cross site request forgeries to add attacker controlled OpenID identities to existing accounts. These OpenID identities can then be used to gain access to the affected accounts.

This issue affects Drupal 6.x only.

OpenID impersonation

The OpenID module is not a compliant implementation of the OpenID Authentication 2.0 specification. An implementation error allows a user to access the account of another user when they share the same OpenID 2.0 provider.

This issue affects Drupal 6.x only.

File upload

File uploads with certain extensions are not correctly processed by the File API. This may lead to the creation of files that are executable by Apache. The .htaccess that is saved into the files directory by Drupal should normally prevent execution. The files are only executable when the server is configured to ignore the directives in the .htaccess file.

This issue affects Drupal 6.x only.

Session fixation

Drupal doesn't regenerate the session ID when an anonymous user follows the one time login link used to confirm email addresses and reset forgotten passwords. This enables a malicious user to fix and reuse the session id of a victim under certain circumstances.

This issue affects Drupal 5.x only.

Versions affected
  • Drupal 6.x before version 6.14.
  • Drupal 5.x before version 5.20.
Solution

Install the latest version:

  • If you are running Drupal 6.x then upgrade to Drupal 6.14.
  • If you are running Drupal 5.x then upgrade to Drupal 5.20.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. Theses patches fix the security vulnerabilities, but do not contain other fixes which were released in Drupal 6.14 or Drupal 5.20.

Important note: Some users using OpenID might not be able to use the existing OpenID associations to login after the upgrade. These users should use the one time login via password recovery to get access to their user account and re-add desired associations. These users likely had issues with OpenID logins prior to the upgrade.

Reported by

The session fixation issue was reported by Noel Sharpe.
OpenID impersonation was reported by Robert Metcalf.
OpenID association CSRF was reported by Heine Deelstra (*).
The file upload issue was reported by Heine Deelstra (*).

(*) Member of the Drupal security team

Fixed by

The session fixation issue was fixed by Jakub Suchy.
The OpenID and file upload issues were fixed by Heine Deelstra.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 5.xDrupal 6.x

SA-CORE-2009-007 - Drupal core - Multiple vulnerabilities

Wed, 07/01/2009 - 4:56pm
  • Advisory ID: DRUPAL-SA-CORE-2009-007
  • Project: Drupal core
  • Version: 5.x, 6.x
  • Date: 2009-July-1
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description

Multiple vulnerabilities and weaknesses were discovered in Drupal.

Cross-site scripting

The Forum module does not correctly handle certain arguments obtained from the URL. By enticing a suitably privileged user to visit a specially crafted URL, a malicious user is able to insert arbitrary HTML and script code into forum pages. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting (XSS).

This issue affects Drupal 6.x only.

Input format access bypass

User signatures have no separate input format, they use the format of the comment with which they are displayed. A user will no longer be able to edit a comment when an administrator changes the comment's input format to a format that is not accessible to the user. However they will still be able to modify their signature, which will then be processed by the new input format.

If the new format is very permissive, via their signature, the user may be able to insert arbitrary HTML and script code into pages or, when the PHP filter is enabled for the new format, execute PHP code.

This issue affects Drupal 6.x only.

Password leaked in URL

When an anonymous user fails to login due to mistyping his username or password, and the page he is on contains a sortable table, the (incorrect) username and password are included in links on the table. If the user visits these links the password may then be leaked to external sites via the HTTP referer.

In addition, if the anonymous user is enticed to visit the site via a specially crafted URL while the Drupal page cache is enabled, a malicious user might be able to retrieve the (incorrect) username and password from the page cache.

This issue affects both Drupal 5.x and Drupal 6.x

Versions affected
  • Drupal 5.x before version 5.19.
  • Drupal 6.x before version 6.13.
Solution

Install the latest version:

  • If you are running Drupal 6.x then upgrade to Drupal 6.13.
  • If you are running Drupal 5.x then upgrade to Drupal 5.19.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. Theses patches fix the security vulnerability, but do not contain other fixes which were released in Drupal 5.19 or Drupal 6.13.

Reported by

The forum XSS issue was independently reported by Mark Piper of Catalyst IT Ltd, Sven Herrmann and Brandon Knight.
The user signature issue was reported by Gerhard Killesreiter of the Drupal security team.
The password in URL issue was reported by Sumit Datta.

Fixed by

The forum XSS issue was fixed by Heine Deelstra, Peter Wolanin and Charlie Gordon.
The user signature issue was fixed by David Rothstein, Charlie Gordon, Heine Deelstra and Gábor Hojtsy.
The password in URL issue was fixed by Damien Tournoud and Bart Jansens.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 5.xDrupal 6.x

SA-CORE-2009-006 - Drupal core - Cross site scripting

Wed, 05/13/2009 - 3:47pm
  • Advisory ID: DRUPAL-SA-CORE-2009-006
  • Project: Drupal core
  • Version: 5.x, 6.x
  • Date: 2009-May-13
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting
Description

When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.

Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the <meta http-equiv="Content-Type" /> tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This enables attackers to execute cross site scripting attacks with UTF-7. SA-CORE-2009-005 - Drupal core - Cross site scripting contained an incomplete fix for the issue. HTML exports of books are still vulnerable, which means that anyone with edit permissions for pages in outlines is able to insert arbitrary HTML and script code in these exports.

Additionally, the taxonomy module allows users with the 'administer taxonomy' permission to inject arbitrary HTML and script code in the help text of any vocabulary.

Wikipedia has more information about cross site scripting (XSS).

Versions affected
  • Drupal 5.x before version 5.18.
  • Drupal 6.x before version 6.12.
Solution

Install the latest version:

  • If you are running Drupal 6.x then upgrade to Drupal 6.12.
  • If you are running Drupal 5.x then upgrade to Drupal 5.18.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. Theses patches fix the security vulnerability, but does not contain other fixes which were released in Drupal 5.18 or Drupal 6.12.

Reported by

The UTF-7 XSS issue in book-export-html.tpl.php was reported by Markus Petrux.

The XSS issue in taxonomy module was publicly disclosed.

Fixed by

Both issues were fixed by Heine Deelstra, Peter Wolanin and Derek Wright of the Drupal Security Team.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 5.xDrupal 6.x

Pages