Core Security Advisories

Subscribe to Core Security Advisories feed
Updated: 39 min 15 sec ago

SA-2008-073 - Drupal core - Multiple vulnerabilities

Wed, 12/10/2008 - 4:42pm
  • Advisory ID: DRUPAL-SA-2008-073
  • Project: Drupal core
  • Versions: 5.x and 6.x
  • Date: 2008-December-10
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description

Multiple vulnerabilities and weaknesses were discovered in Drupal.

Cross site request forgery

The update system is vulnerable to Cross site request forgeries. Malicious users may cause the superuser (user 1) to execute old updates that may damage the database.

Cross site scripting

When an input format is deleted, not all existing content on a site is updated to reflect this deletion. Such content is then displayed unfiltered. This may lead to cross site scripting attacks when harmful tags are no longer stripped from 'malicious' content that was posted earlier.

Versions Affected
  • Drupal 5.x before version 5.13
  • Drupal 6.x before version 6.7
Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.13.
  • If you are running Drupal 6.x then upgrade to Drupal 6.7.

Note: the robots.txt and .htaccess files have changed and need to be replaced. The settings.php file has not been changed and can be left as it was if upgrading from the current version of Drupal.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

Reported by

Both issues were reported by David Rothstein (David_Rothstein).

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 5.xDrupal 6.x

SA-2008-067 - Drupal core - Multiple vulnerabilities

Wed, 10/22/2008 - 3:06pm
  • Advisory ID: DRUPAL-SA-2008-067
  • Project: Drupal core
  • Versions: 5.x and 6.x
  • Date: 2008-October-22
  • Security risk: Less Critical
  • Exploitable from: Local/Remote
  • Vulnerability: Multiple vulnerabilities
Description

Multiple vulnerabilities and weaknesses were discovered in Drupal.

File inclusion

On a server configured for IP-based virtual hosts, Drupal may be caused to include and execute specifically named files outside of its root directory.

This bug affects both Drupal 5 and Drupal 6.

Cross site scripting

The title of book pages is not always properly escaped, enabling users with the "create book content" permission or the permission to edit any node in the book hierarchy to insert arbitrary HTML and script code into pages. Such a Cross site scripting attack may lead to the attacker gaining administrator access.

This bug affects Drupal 6.

Versions Affected
  • Drupal 5.x before version 5.12
  • Drupal 6.x before version 6.6
Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.12.
  • If you are running Drupal 6.x then upgrade to Drupal 6.6.

Note: the settings.php, robots.txt and .htaccess files have not changed and can be left as they are if upgrading from the current version of Drupal.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

Reported by
  • The file inclusion vulnerability was reported by Anthony Ferrara
  • The cross site scripting issue was reported by Maarten van Grootel
Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 5.xDrupal 6.x

SA-2008-060 - Drupal core - Multiple vulnerabilities

Wed, 10/08/2008 - 5:43pm
  • Advisory ID: DRUPAL-SA-2008-060
  • Project: Drupal core
  • Versions: 5.x and 6.x
  • Date: 2008-October-8
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description

Multiple vulnerabilities and weaknesses were discovered in Drupal.

File upload access bypass

A logic error in the core upload module validation allowed unprivileged users to attach files to content. This bug affects Drupal 6.x only.

Users can view files attached to content which they do not otherwise have access to. This bug affects Drupal 5.x only.

If the core upload module is not enabled, your site will not be affected.

Access rules bypass

A deficiency in the user module allowed users who had been blocked by access rules to continue logging into the site under certain conditions.

If you do not use the 'access rules' functionality in core, your site will not be affected.

This bug affects both Drupal 5.x and Drupal 6.x.

BlogAPI access bypass

The BlogAPI module does not implement correct validation for certain content fields, allowing for values to be set for fields which would otherwise be inaccessible on an internal Drupal form. We have hardened these checks in BlogAPI module for this release, but the security team would like to re-iterate that the 'Administer content with BlogAPI' permission should only be given to trusted users.

If the core BlogAPI module is not enabled, your site will not be affected.

This bug affects both Drupal 5.x and Drupal 6.x.

Node validation bypass

A weakness in the node module API allowed for node validation to be bypassed in certain circumstances for contributed modules implementing the API. Additional checks have been added to ensure that validation is performed in all cases. This vulnerability only affects sites using one of a very small number of contributed modules, all of which will continue to work correctly with the improved API. None of them were found vulnerable, so our correction is a preventative measure.

This bug affects Drupal 5.x only.

Versions affected
  • Drupal 5.x before version 5.11
  • Drupal 6.x before version 6.5
Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.11.
  • If you are running Drupal 6.x then upgrade to Drupal 6.5.

Note: the settings.php, robots.txt and .htaccess files have not changed and can be left as they are if upgrading from the current version of Drupal.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

Reported by

Names marked with asterisk are members of the Drupal security team.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 5.xDrupal 6.x

SA-2008-047 - Drupal core - Multiple vulnerabilities

Wed, 08/13/2008 - 7:27pm
  • Advisory ID: DRUPAL-SA-2008-047
  • Project: Drupal core
  • Version: 5.x, 6.x
  • Date: 2008-August-13
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description

Multiple vulnerabilities and weaknesses were discovered in Drupal.

Cross site scripting

A bug in the output filter employed by Drupal makes it possible for malicious users to insert script code into pages (cross site scripting or XSS).

A bug in the private filesystem trusts the MIME type sent by the browser, enabling malicious users with the ability to upload files to execute cross site scripting attacks.

These bugs affects both Drupal 5.x and 6.x.

Arbitrary file uploads via BlogAPI

The BlogAPI module does not validate the extension of uploaded files, enabling users with the "administer content with blog api" permission to upload harmful files.

This bug affects both Drupal 5.x and 6.x.

Cross site request forgeries

Drupal forms contain a token to protect against cross site request forgeries (CSRF). The token may not be validated properly for cached forms and forms containing AHAH elements.

This bug affects Drupal 6.x.

User access rules can be added or deleted upon accessing a properly formatted URL, making such modifications vulnerable to cross site request forgeries (CSRF). This may lead to unintended addition or deletion of an access rule when a sufficiently privileged user visits a page or site created by a malicious person.

This bug affects both Drupal 5.x and 6.x.

Various Upload module vulnerabilities

The Upload module in Drupal 6 contains privilege escalation vulnerabilities for users with the "upload files" permission. This can lead to users being able to edit nodes which they are normally not allowed to, delete any file to which the webserver has sufficient rights, and download attachments of nodes to which they have no access. Harmful files may also be uploaded via cross site request forgeries (CSRF).

These bugs affect Drupal 6.x.

Versions affected
  • Drupal 5.x before version 5.10
  • Drupal 6.x before version 6.4
Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.10.
  • If you are running Drupal 6.x then upgrade to Drupal 6.4.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

Reported by

* Members of the Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 5.xDrupal 6.x

SA-2008-046 - Drupal core - Session fixation

Wed, 07/23/2008 - 3:58pm
  • Advisory ID: DRUPAL-SA-2008-046
  • Project: Drupal core
  • Version: 5.x
  • Date: 2008-July-23
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Session fixation
Description

When contributed modules such as Workflow NG terminate the current request during a login event, user module is not able to regenerate the user's session. This may lead to a session fixation attack, when a malicious user is able to control another users' initial session ID. As the session is not regenerated, the malicious user may use the 'fixed' session ID after the victim authenticates and will have the same access.

The advisory SA-2008-044 claims that this session fixation vulnerability was fixed in Drupal 5.8 and 6.3. Unfortunately, Drupal 5.8 still contains this vulnerability.

Versions affected
  • Drupal 5.x before version 5.9
Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.9.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

Reported by
  • The session fixation issue was originally reported by Erich C. Beyrent. Its continued existance in 5.8 was reported by dmnd.
Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 5.x

SA-2008-044 - Drupal core - Multiple vulnerabilities

Wed, 07/09/2008 - 5:24pm
  • Advisory ID: DRUPAL-SA-2008-044
  • Project: Drupal core
  • Version: 5x, 6.x
  • Date: 2008-July-9
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description

Multiple vulnerabities and weaknesses were discovered in Drupal. Neither of these are readily exploitable.

Cross site scripting

Free tagging taxonomy terms can be used to insert arbitrary script and HTML code (cross site scripting or XSS) on node preview pages. A successful exploit requires that the victim selects a term containing script code and chooses to preview the node. This issue affects Drupal 6.x only.

Some values from OpenID providers are output without being properly escaped, allowing malicious providers to insert arbitrary script and HTML code (XSS) into user pages. This issue affects Drupal 6.x only.

filter_xss_admin() has been hardened to prevent use of the object HTML tag in administrator input.

Cross site request forgeries

Translated strings (5.x, 6.x) and OpenID identities (6.x) are immediately deleted upon accessing a properly formatted URL, making such deletion vulnerable to cross site request forgeries (CSRF). This may lead to unintended deletion of translated strings or OpenID identities when a sufficiently privileged user visits a page or site created by a malicious person.

Session fixation

When contributed modules such as Workflow NG terminate the current request during a login event, user module is not able to regenerate the user's session. This may lead to a session fixation attack, when a malicious user is able to control another users' initial session ID. As the session is not regenerated, the malicious user may use the 'fixed' session ID after the victim authenticates and will have the same access. This issue affects both Drupal 5 and Drupal 6.

SQL injection

Schema API uses an inappropriate placeholder for 'numeric' fields enabling SQL injection when user-supplied data is used for such fields.This issue affects Drupal 6 only.

Versions affected
  • Drupal 5.x before version 5.8
  • Drupal 6.x before version 6.3
Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.8.
  • If you are running Drupal 6.x then upgrade to Drupal 6.3.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

Note for site administrators

Drupal 5.8 and 6.3 no longer support the use of the object HTML tag in many text supplied by administrators. Such texts include the mission statement and taxonomy term descriptions.

Notes for developers

Drupal 6.3 has the new db_query placeholder %n for numeric fields (DECIMAL, NUMERIC). Custom queries should be updated to reflect this change.

Reported by
  • The session fixation issue was reported by Erich C. Beyrent.
  • The Taxonomy term XSS issue was reported by John Morahan.
  • The OpenID CSRF issue was reported by Peter Wolanin (Drupal security team).
  • The OpenID XSS issue was reported by Neil Drumm (Drupal security team).
  • The locale CSRF issue and the numeric SQL injection issue were reported by Heine Deelstra (Drupal security team).
Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 5.xDrupal 6.x

SA-2008-026 - Drupal core - Access bypass

Wed, 04/09/2008 - 4:25pm
  • Advisory ID: DRUPAL-SA-2008-026
  • Project: Drupal core
  • Version: 6.x
  • Date: 2008-April-09
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

The menu system routes page requests to appropriate handlers. It also determines whether a user has access to pages based on several criteria, such as permissions assigned to a role. Drupal 6 features an entirely revised menu system, including changes to the way access is dealt with, which if not properly understood by developers can lead to vulnerabilities. This security release provides a more secure access behaviour by default, and fixes incorrectly set menu items in Drupal core.

Access to some pages was not appropriately controlled:

  • Any user can edit profile pages of other users.
  • Users who can view administration pages are able to edit content types.
  • The tracker and blog pages expose information to users without the "access content" permission.
Versions affected
  • Drupal 6.x before version 6.2.
Solution

Install the latest version:

  • If you are running Drupal 6.x then upgrade to Drupal 6.2.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patch fixes incorrectly set menu items in Drupal core, but does not contain the menu API change which would provide secure defaults. This patch is a temporary solution to be used if modules are required which are still incompatible with the new API changes.

If you used SA-2008-026-6.1.patch or SA-2008-026-6.1b.patch: the patch was incorrect. Please reverse the patch, such as patch -R, and apply the current patch.

Important notes

It is essential to follow this process when updating:

  • First make sure that you are logged in as user number 1 or that your site's settings.php has $update_free_access = TRUE; so that anyone can access the update.php script while you update the site. We suggest you log in as user 1 because you might have difficulties in gaining write access to your settings file.
  • Turn your site into offline mode.
  • Then, and only then replace your Drupal source code files with the new ones from Drupal 6.2.
  • Run update.php.
  • Turn your site back to online mode.
  • If you edited your site's settings.php, make sure to set $update_free_access = FALSE;

If you do not follow the above procedure, and just replace the source files, any attempt to access the site will be greeted with the message: "Fatal error: Call to undefined function user_uid_optional_to_arg() in includes/menu.inc on line 594" and you will have no way to set the site to offline mode on the web interface until you get through update.php.

Contributed modules may require an update to work properly with Drupal 6.2. Failing to update modules will lead to some pages of the affected modules not being accessible.

Note for Module developers

Drupal 6.2 contains two API changes.

  • Menu access callbacks are no longer inherited from parent items.
  • %user_current has been renamed to %user_uid_optional.

Additional information can be found in Updating your 6.x module to work with 6.2.

Reported by
  • The tracker and profile access issue were respectively reported by Peter Wolanin and Greg Knaddison of the Drupal security team.
Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 6.x

SA-2008-018 - Drupal core - Cross site scripting

Wed, 02/27/2008 - 2:23pm
  • Advisory ID: DRUPAL-SA-2008-018
  • Project: Drupal core
  • Version: 6.0
  • Date: 2008-February-27
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Multiple cross site scripting vulnerabilities
Description

Titles are not escaped prior to being displayed on content edit forms, allowing users to inject arbitrary HTML and script code into these pages.

The Drupal.checkPlain function, used to escape text in ECMAScript, contains a bug which causes it to escape only the first instance of a character, allowing users to inject arbitrary HTML and script code in certain pages.

Wikipedia has more information about cross site scripting (XSS).

Versions affected
  • Drupal 6.x before version 6.1.
Solution

Install the latest version:

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by
  • Steve McKenzie discovered the ECMAScript issue
  • The Drupal security team
Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 6.x

SA-2008-007 - Drupal core - Cross site scripting (register_globals)

Thu, 01/10/2008 - 4:03pm
  • Advisory ID: DRUPAL-SA-2008-007
  • Project: Drupal core
  • Version: 4.7.x, 5.x
  • Date: 2008-January-10
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting when register_globals is enabled.
Description

When theme .tpl.php files are accessible via the web and the PHP setting register_globals is set to enabled, anonymous users are able to execute cross site scripting attacks via specially crafted links.

Drupals .htaccess attempts to set register_globals to disabled and also prevents access to .tpl.php files. Only when both these measures are not effective and your PHP interpreter is configured with register_globals set to enabled, will this issue affect you.

Versions affected
  • Drupal 4.7.x
  • Drupal 5.x
Solutions
  1. Disable register_globals. Please refer to the PHP documentation on information how to configure PHP.
  2. Ensure .tpl.php files are not accessible via the web.

Drupal 4.7.11 and 5.6 will present a warning on the administration page when register_globals is enabled. Drupal 5.6 will refuse installation on an insecurely configured server. Existing sites will continue to work.

Reported by

Ultra Security Research.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 4.7.xDrupal 5.x

SA-2008-006 - Drupal core - Cross site scripting (UTF8)

Thu, 01/10/2008 - 4:02pm
  • Advisory ID: DRUPAL-SA-2008-006
  • Project: Drupal core
  • Version: 4.7.x, 5.x
  • Date: 2008-January-10
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting
Description

When outputting plaintext Drupal strips potentially dangerous HTML tags and attributes from HTML, and escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.

Certain byte sequences that are invalid in the UTF8 specification are not handled properly by Internet Explorer 6 and may lead it to see a multibyte start character where none is present. Internet Explorer 6 then consumes a number of subsequent UTF-8 characters. This may lead to unsafe attributes that were outside a tag for the filter to appear inside a tag for Internet Explorer 6. This behaviour can then be used to insert and execute javascript in the context of the website.

Wikipedia has more information about cross site scripting (XSS).

Versions affected
  • Drupal 4.7.x before version 4.7.11.
  • Drupal 5.x before version 5.6.
Solution

Install the latest version:

  • If you are running Drupal 4.7.x then upgrade to Drupal 4.7.11.
  • If you are running Drupal 5.x then upgrade to Drupal 5.6.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Important note

Drupal 4.7.11 and 5.6 now require PHP 4.3.5 or higher as the minimum version.

Use of modules that purposely insert bytes that are invalid UTF-8 characters, such as GeSHi Filter and Code Filter will cause any text using the filter to not be displayed. Disable the modules until a solution has been found.

Reported by

The vulnerability was discovered during an audit of Drupal core by Stefan Esser, Mayflower GmbH and Zend.

The Drupal security team wants to thank Die Zeit, who commissioned the audit, for sharing the results.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 4.7.xDrupal 5.x

SA-2008-005 - Drupal core - Cross site request forgery

Thu, 01/10/2008 - 4:00pm
  • Advisory ID: DRUPAL-SA-2008-005
  • Project: Drupal core
  • Version: 4.7.x, 5.x
  • Date: 2008-January-10
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross site request forgery
Description

The aggregator module fetches items from RSS feeds and makes them available on the site. The module provides an option to remove items from a particular feed. This has been implemented as a simple GET request and is therefore vulnerable to cross site request forgeries. For example: Should a privileged user view a page containing an <img> tag with a specially constructed src pointing to a remove items URL, the items would be removed.

Versions affected
  • Drupal 4.7.x before version 4.7.11.
  • Drupal 5.x before version 5.6.
Solution

Install the latest version:

  • If you are running Drupal 4.7.x then upgrade to Drupal 4.7.11.
  • If you are running Drupal 5.x then upgrade to Drupal 5.6.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by

The Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 4.7.xDrupal 5.x

SA-2007-031 - Drupal core - SQL Injection possible when certain contributed modules are enabled

Wed, 12/05/2007 - 3:38pm
  • Advisory ID: DRUPAL-SA-2007-031
  • Project: Drupal core
  • Version: 4.7.x, 5.x
  • Date: 2007-December-05
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: SQL Injection
Description

The function taxonomy_select_nodes() directly injects variables into SQL queries instead of using placeholders. While taxonomy module itself validates the input passed to taxonomy_select_nodes(), this is a weakness in Drupal core. Several contributed modules, such as taxonomy_menu, ajaxLoader, and ubrowser, directly pass user input to taxonomy_select_nodes(), enabling SQL injection attacks by anonymous users.

To learn more about SQL injection, please read this article.

Versions affected
  • Drupal 4.7.x before Drupal 4.7.9
  • Drupal 5.x before Drupal 5.4
Solution

Install the latest version:

  • If you are running Drupal 4.7.x then upgrade to Drupal 4.7.9.
  • If you are running Drupal 5.x then upgrade to Drupal 5.4.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by
  • Nadid Skywalker
  • Ivan Sergio Borgonovo
Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 4.7.xDrupal 5.x

SA-2007-030 - Drupal Core - API handling of unpublished comment.

Wed, 10/17/2007 - 3:50pm
  • Advisory ID: DRUPAL-SA-2007-030
  • Project: Drupal core
  • Version: 4.7.x, 5.x
  • Date: 2007-October-17
  • Security risk: Not critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

The publication status of comments is not passed during the hook_comments API operation, causing various modules that rely on the publication status (such as Organic groups, or Subscriptions) to mail out unpublished comments.

Versions affected
  • Drupal 4.7.x before version 4.7.8
  • Drupal 5.x before version 5.3.
Solution

Install the latest version:

  • If you are running Drupal 4.7.x then upgrade to Drupal 4.7.8.
  • If you are running Drupal 5.x then upgrade to Drupal 5.3.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by

The Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 4.7.xDrupal 5.x

SA-2007-029 - Drupal core - User deletion cross site request forgery

Wed, 10/17/2007 - 3:40pm
  • Advisory ID: DRUPAL-SA-2007-029
  • Project: Drupal core
  • Version: 5.x
  • Date: 2007-October-17
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross site request forgery
Description

The Drupal Forms API protects against cross site request forgeries (CSRF), where a malicous site can cause a user to unintentionally submit a form to a site where he is authenticated. The user deletion form does not follow the standard Forms API submission model and is therefore not protected against this type of attack. A CSRF attack may result in the deletion of users.

Versions affected
  • Drupal 5.x before version 5.3.
Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.3.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by

This vulnerability was discovered during an audit of Drupal 5.1 by Stefan Esser and Mayflower GmbH. This audit was commissioned by die Zeit Online GmbH.

We wish to thank die Zeit Online for sharing the results with us.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 5.x

SA-2007-026 - Drupal Core - Cross site scripting via uploads

Wed, 10/17/2007 - 2:38pm
  • Advisory ID: DRUPAL-SA-2007-026
  • Project: Drupal core
  • Version: 4.7.x, 5.x
  • Date: 2007-October-17
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting
Description

The allowed extension list of the core Upload module contains the extension HTML by default. Such files can be used to execute arbitrary script code in the context of the affected site when a user views the file.

Revoking upload permissions or removing the .html extension from the allowed extension list will stop uploads of malicious files. but will do nothing to protect your site against files that are already present. Carefully inspect the file system path for any HTML files. We recommend you remove any HTML file you did not update yourself. You should look for , CSS includes, Javascript includes, and onerror="" attributes if you need to review files individually.

Wikipedia has more information about cross site scripting (XSS).

Important note: Configuration change needed

Installing the upgrade or using the patch will not remove the .html extensions from an already configured upload module. Visit Administer » Site Configuration » File uploads (admin/settings/uploads) on Drupal 5.x or administer » settings » upload (admin/settings/upload) on Drupal 4.7.x to remove html from the allowed extensions lists.

The steps above will stop uploads of malicious files, but will do nothing to protect your site against files that have already been uploaded. Make sure to carefully inspect the file system path for any HTML files.

Versions affected
  • Drupal 4.7.x before version 4.7.8.
  • Drupal 5.x before version 5.3.
Solution

Install the latest version:

  • If you are running Drupal 4.7.x then upgrade to Drupal 4.7.8.
  • If you are running Drupal 5.x then upgrade to Drupal 5.3.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by

The Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 4.7.xDrupal 5.x

SA-2007-025 - Drupal core - Arbitrary code execution via installer.

Wed, 10/17/2007 - 2:33pm
  • Advisory ID: DRUPAL-SA-2007-025
  • Project: Drupal core
  • Version: 5.x
  • Date: 2007-October-17
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Arbitrary code execution
Description

The Drupal installer allows any visitor to provide credentials for a database when the site's own database is not reachable. This allows attackers to run arbitrary code on the site's server.

An immediate workaround is the removal of the file install.php in the Drupal root directory.

Versions affected
  • Drupal 5.x before Drupal 5.3
Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.3.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by

Mark Fallon
Wolfgang Ziegler

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 5.x

SA-2007-024 - Drupal Core - HTTP response splitting

Wed, 10/17/2007 - 2:31pm
  • Advisory ID: DRUPAL-SA-2007-024
  • Project: Drupal core
  • Version: 4.7.x, 5.x
  • Date: 2007-October-17
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: HTTP response splitting
Description

In some circumstances Drupal allows user-supplied data to become part of response headers. As this user-supplied data is not always properly escaped, this can be exploited by malicious users to execute HTTP response splitting attacks which may lead to a variety of issues, among them cache poisoning, cross-user defacement and injection of arbitrary code.

Versions affected
  • Drupal 4.7.x before version 4.7.8.
  • Drupal 5.x before version 5.3.
Solution

Install the latest version:

  • If you are running Drupal 4.7.x then upgrade to Drupal 4.7.8.
  • If you are running Drupal 5.x then upgrade to Drupal 5.3.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by

The Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 4.7.xDrupal 5.x

Drupal core - Multiple cross site scripting vulnerabilities

Thu, 07/26/2007 - 2:59pm
  • Advisory ID: DRUPAL-SA-2007-018
  • Project: Drupal core
  • Version: 4.7.x, 5.x
  • Date: 2007-July-26
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Multiple cross site scripting vulnerabilities
Description

Some server variables are not escaped consistently. When a malicious user is able to entice a victim to visit a specially crafted link or webpage, arbitrary HTML and script code can be injected and executed in the context of the victim's session on the targeted website.

Custom content type names are not escaped consistently. A malicious user with the 'administer content types' permission would be able to inject and execute arbitrary HTML and script code on the website.
Revoking the 'administer content types' permission provides an immediate workaround.

Wikipedia has more information about cross site scripting (XSS).

Versions affected
  • Drupal 4.7.x before version 4.7.7.
  • Drupal 5.x before version 5.2.
Solution

Install the latest version:

  • If you are running Drupal 4.7.x then upgrade to Drupal 4.7.7.
  • If you are running Drupal 5.x then upgrade to Drupal 5.2.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Important note

settings.php is one of the files containing vulnerable code. It is therefore critical to replace all of your sites' settings.php files in subdirectories of sites with the new one from the archive. After you have replaced the files, make sure to edit the value of the $db_url variable to be identical to the value in your old settings.php. This is the information that determines how Drupal connects to a database.

Reported by
  • The server variables issue was reported by David Caylor.
  • Content type naming issues were reported by Karthik.
Thanks

The security team wishes to thank Dave, Morten Wulff, Brenda Wallace, Fernando Silva, Gerhard Killesreiter, Brandon Bergren, Bart Jansens and Neil Drumm for technical assistance.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 4.7.xDrupal 5.x

Drupal core - Cross site request forgeries

Thu, 07/26/2007 - 2:58pm
  • Advisory ID: DRUPAL-SA-2007-017
  • Project: Drupal core
  • Version: 5.x
  • Date: 2007-July-26
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Multiple cross site request forgeries
Description

Several parts in Drupal core are not protected against cross site request forgeries due to inproper use of the Forms API, or by taking action solely on GET requests. Malicious users are able to delete comments and content revisions and disable menu items by enticing a privileged users to visit certain URLs while the victim is logged-in to the targeted site.

Versions affected
  • Drupal 5.x before version 5.2.
Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.2.

Drupal 4.7.x is not affected.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by
  • Konstantin Käfer reported the menu issue.
  • The Drupal security team.
Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 5.x

DRUPAL-SA-2007-005 - Drupal core - Arbitrary code execution

Mon, 01/29/2007 - 2:11pm
  • Advisory ID: DRUPAL-SA-2007-005
  • Project: Drupal core
  • Version: 4.7.x, 5.x
  • Date: 2007-Jan-29
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Arbitrary code execution
Description

Previews on comments were not passed through normal form validation routines, enabling users with the 'post comments' permission and access to more than one input filter to execute arbitrary code. By default, anonymous and authenticated users have access to only one input format.

Immediate workarounds include: disabling the comment module, revoking the 'post comments' permission for all users or limiting access to one input format.

Versions affected
  • Drupal 4.7.x before version 4.7.6.
  • Drupal 5.x before version 5.1.
Solution

Install the latest version:

  • If you are running Drupal 4.7.x then upgrade to Drupal 4.7.6.
  • If you are running Drupal 5.0 then upgrade to Drupal 5.1.
Reported by

The Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 4.7.xDrupal 5.x

Pages