Core Security Advisories

Subscribe to Core Security Advisories feed
Updated: 2 hours 53 min ago

SA-CORE-2009-006 - Drupal core - Cross site scripting

Wed, 05/13/2009 - 3:47pm
  • Advisory ID: DRUPAL-SA-CORE-2009-006
  • Project: Drupal core
  • Version: 5.x, 6.x
  • Date: 2009-May-13
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting
Description

When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.

Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the <meta http-equiv="Content-Type" /> tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This enables attackers to execute cross site scripting attacks with UTF-7. SA-CORE-2009-005 - Drupal core - Cross site scripting contained an incomplete fix for the issue. HTML exports of books are still vulnerable, which means that anyone with edit permissions for pages in outlines is able to insert arbitrary HTML and script code in these exports.

Additionally, the taxonomy module allows users with the 'administer taxonomy' permission to inject arbitrary HTML and script code in the help text of any vocabulary.

Wikipedia has more information about cross site scripting (XSS).

Versions affected
  • Drupal 5.x before version 5.18.
  • Drupal 6.x before version 6.12.
Solution

Install the latest version:

  • If you are running Drupal 6.x then upgrade to Drupal 6.12.
  • If you are running Drupal 5.x then upgrade to Drupal 5.18.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. Theses patches fix the security vulnerability, but does not contain other fixes which were released in Drupal 5.18 or Drupal 6.12.

Reported by

The UTF-7 XSS issue in book-export-html.tpl.php was reported by Markus Petrux.

The XSS issue in taxonomy module was publicly disclosed.

Fixed by

Both issues were fixed by Heine Deelstra, Peter Wolanin and Derek Wright of the Drupal Security Team.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 5.xDrupal 6.x

SA-CORE-2009-005 - Drupal core - Cross site scripting

Wed, 04/29/2009 - 9:48pm
  • Advisory ID: DRUPAL-SA-CORE-2009-005
  • Project: Drupal core
  • Version: 5.x, 6.x
  • Date: 2009-April-29
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting
Description

When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.

Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the <meta http-equiv="Content-Type" /> tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This behaviour enables malicious users to insert and execute Javascript in the context of the website if site visitors are allowed to post content.

Wikipedia has more information about cross site scripting (XSS).

In addition, Drupal core also has a very limited information disclosure vulnerability under very specific conditions. If a user is tricked into visiting the site via a specially crafted URL and then submits a form (such as the search box) from that page, the information in their form submission may be directed to a third-party site determined by the URL and thus disclosed to the third party. The third party site may then execute a CSRF attack against the submitted form.

This vulnerability is limited to forms present on the frontpage. The user login form is not vulnerable.

Versions affected
  • Drupal 5.x before version 5.17.
  • Drupal 6.x before version 6.11.
Solution

Install the latest version:

  • If you are running Drupal 6.x then upgrade to Drupal 6.11.
  • If you are running Drupal 5.x then upgrade to Drupal 5.17.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. Theses patches fix the security vulnerability, but does not contain other fixes which were released in Drupal 5.17 or Drupal 6.11.

As an alternate solution if you are unable to upgrade immediately, you can alter your page template following the pattern in the core changes. Open your theme's main page.tpl.php file as well as any other page templates like page-node.tpl.php or page-front.tpl.php and move the line that is printing $head (<?php print $head ?>) above line with the <title> tag, so that it is the first item after the <head>.

Reported by

The UTF-7 XSS issue was reported by pod.Edge.

The information disclosure vulnerability was reported by Moritz Naumann.

Fixed by

The Drupal security team

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 5.xDrupal 6.x

New pages and RSS feeds for security announcements

Wed, 03/18/2009 - 11:51am
Separate Security Announcements by Type

To make the impact of different security advisories and announcements easier to see, they are now separated by type.

Drupal core security advisories: http://drupal.org/security
RSS feed for Drupal core: http://drupal.org/security/rss.xml

Contributed project security advisories: http://drupal.org/security/contrib
RSS feed for contributed projects: http://drupal.org/security/contrib/rss.xml

Public service announcements: http://drupal.org/security/psa
RSS feed for announcements: http://drupal.org/security/psa/rss.xml

We encourage those using RSS readers to track security-related developments to subscribe to all three of these feeds.

All posts to each of these three forums will still be sent to the one security announcements e-mail list. To subscribe to that e-mail list, once logged in, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.

All future public service announcements will only be posted to the Public service announcements page and feed.

Background on the Changes

At Drupalcon in Washington, D.C. earlier this month, members of the Security team held a "Birds of a Feather" session to discusses various topics including improvements to our process of communicating with the public.

One outcome of this meeting was that we decided to more clearly differentiate among security advisories for Drupal core (which affect all users) as opposed to security advisories for contributed projects (which are often used by only tens of sites). In addition, the security team has on occasion issued announcements (such as this one), which were previously mixed in with actual security advisories.

Since the Drupal 6.x upgrade of http://drupal.org, newsletter postings have been managed using forums. The security team has thus split security-related postings among three forums under http://drupal.org/forum/1188.

All past and new advisories and announcements and their feeds can be viewed (via tabs) on http://drupal.org/security.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Front page news: Planet Drupal

SA-CORE-2009-004 - Local file inclusion on Windows

Wed, 02/25/2009 - 5:58pm
  • Advisory ID: DRUPAL-SA-CORE-2009-004
  • Project: Drupal core
  • Versions: 5.x
  • Date: 2009-February-25
  • Security risk: Highly Critical
  • Exploitable from: Remote
  • Vulnerability: Local file inclusion on Windows
  • Reference: SA-CORE-2009-003 (6.x)
Description

This vulnerability exists on Windows, regardless of the type of webserver (Apache, IIS) used.

The Drupal theme system takes URL arguments into account when selecting a template file to use for page rendering. While doing so, it doesn't take into account how Windows arrives at a canonicalized path. This enables malicious users to include files, readable by the webserver and located on the same volume as Drupal, and to execute PHP contained within those files. For example: If a site has uploads enabled, an attacker may upload a file containing PHP code and cause it to be included on a subsequent request by manipulating the URL used to access the site.

Important note: An attacker may also be able to inject PHP code into webserver logs and subsequently include the log file, leading to code execution even if no upload functionality is enabled on the site.

Versions Affected
  • Drupal 5.x before version 5.16
Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.16.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patch fixes the security vulnerability, but does not contain other fixes which were released in Drupal 5.16.

Reported by

Bogdan Calin (www.acunetix.com)

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 5.x

SA-CORE-2009-003 - Local file inclusion on Windows

Wed, 02/25/2009 - 1:16pm
  • Advisory ID: DRUPAL-SA-CORE-2009-003
  • Project: Drupal core
  • Versions: 6.x
  • Date: 2009-February-25
  • Security risk: Highly Critical
  • Exploitable from: Remote
  • Vulnerability: Local file inclusion on Windows
Description

This vulnerability exists on Windows, regardless of the type of webserver (Apache, IIS) used.

The Drupal theme system takes URL arguments into account when selecting a template file to use for page rendering. While doing so, it doesn't take into account how Windows arrives at a canonicalized path. This enables malicious users to include files, readable by the webserver and located on the same volume as Drupal, and to execute PHP contained within those files. For example: If a site has uploads enabled, an attacker may upload a file containing PHP code and cause it to be included on a subsequent request by manipulating the URL used to access the site.

Important note: An attacker may also be able to inject PHP code into webserver logs and subsequently include the log file, leading to code execution even if no upload functionality is enabled on the site.

Versions Affected
  • Drupal 6.x before version 6.10
Solution

Install the latest version:

  • If you are running Drupal 6.x then upgrade to Drupal 6.10.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patch fixes the security vulnerability, but does not contain other fixes which were released in Drupal 6.10.

Reported by

Bogdan Calin (www.acunetix.com)

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 6.x

SA-CORE-2009-001 Drupal core - Multiple vulnerabilities

Wed, 01/14/2009 - 7:00pm
  • Advisory ID: DRUPAL-SA-CORE-2009-001
  • Project: Drupal core
  • Versions: 5.x and 6.x
  • Date: 2009-January-14
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities

Multiple vulnerabilities and weaknesses were discovered in Drupal.

Access Bypass

The Content Translation module for Drupal 6.x enables users to make a translation of an existing item of content (a node). In that process the existing node's content is copied into the new node's submission form.

The module contains a flaw that allows a user with the 'translate content' permission to potentially bypass normal viewing access restrictions, for example allowing the user to see the content of unpublished nodes even if they do not have permission to view unpublished nodes.

This issue only affects Drupal 6.x.

Validation Bypass

When user profile pictures are enabled, the default user profile validation function will be bypassed, possibly allowing invalid user names or e-mail addresses to be submitted.

This issue only affects Drupal 6.x.

Hardening against SQL injection

A parameter passed into the node access API was not properly escaped or validated before being used in SQL queries. While there is no direct risk of SQL injection from Drupal core, it's possible that this could have presented a risk in combination with a contributed module. Additional validation has been added to eliminate this risk.

This issue affects both Drupal 5.x and Drupal 6.x.

Versions Affected
  • Drupal 5.x before version 5.15.
  • Drupal 6.x before version 6.9.
Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.15.
  • If you are running Drupal 6.x then upgrade to Drupal 6.9.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

Reported by

The access bypass issue for translations was reported by Wolfgang Ziegler.

The validation bypass was reported by v1nce, supersmashbrothers, Tejus Pratap, and Limiting Factor.

The need for SQL hardening was reported by Derek Wright of the Drupal Security Team.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 5.xDrupal 6.x

SA-2008-073 - Drupal core - Multiple vulnerabilities

Wed, 12/10/2008 - 4:42pm
  • Advisory ID: DRUPAL-SA-2008-073
  • Project: Drupal core
  • Versions: 5.x and 6.x
  • Date: 2008-December-10
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description

Multiple vulnerabilities and weaknesses were discovered in Drupal.

Cross site request forgery

The update system is vulnerable to Cross site request forgeries. Malicious users may cause the superuser (user 1) to execute old updates that may damage the database.

Cross site scripting

When an input format is deleted, not all existing content on a site is updated to reflect this deletion. Such content is then displayed unfiltered. This may lead to cross site scripting attacks when harmful tags are no longer stripped from 'malicious' content that was posted earlier.

Versions Affected
  • Drupal 5.x before version 5.13
  • Drupal 6.x before version 6.7
Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.13.
  • If you are running Drupal 6.x then upgrade to Drupal 6.7.

Note: the robots.txt and .htaccess files have changed and need to be replaced. The settings.php file has not been changed and can be left as it was if upgrading from the current version of Drupal.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

Reported by

Both issues were reported by David Rothstein (David_Rothstein).

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 5.xDrupal 6.x

SA-2008-067 - Drupal core - Multiple vulnerabilities

Wed, 10/22/2008 - 3:06pm
  • Advisory ID: DRUPAL-SA-2008-067
  • Project: Drupal core
  • Versions: 5.x and 6.x
  • Date: 2008-October-22
  • Security risk: Less Critical
  • Exploitable from: Local/Remote
  • Vulnerability: Multiple vulnerabilities
Description

Multiple vulnerabilities and weaknesses were discovered in Drupal.

File inclusion

On a server configured for IP-based virtual hosts, Drupal may be caused to include and execute specifically named files outside of its root directory.

This bug affects both Drupal 5 and Drupal 6.

Cross site scripting

The title of book pages is not always properly escaped, enabling users with the "create book content" permission or the permission to edit any node in the book hierarchy to insert arbitrary HTML and script code into pages. Such a Cross site scripting attack may lead to the attacker gaining administrator access.

This bug affects Drupal 6.

Versions Affected
  • Drupal 5.x before version 5.12
  • Drupal 6.x before version 6.6
Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.12.
  • If you are running Drupal 6.x then upgrade to Drupal 6.6.

Note: the settings.php, robots.txt and .htaccess files have not changed and can be left as they are if upgrading from the current version of Drupal.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

Reported by
  • The file inclusion vulnerability was reported by Anthony Ferrara
  • The cross site scripting issue was reported by Maarten van Grootel
Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 5.xDrupal 6.x

SA-2008-060 - Drupal core - Multiple vulnerabilities

Wed, 10/08/2008 - 5:43pm
  • Advisory ID: DRUPAL-SA-2008-060
  • Project: Drupal core
  • Versions: 5.x and 6.x
  • Date: 2008-October-8
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description

Multiple vulnerabilities and weaknesses were discovered in Drupal.

File upload access bypass

A logic error in the core upload module validation allowed unprivileged users to attach files to content. This bug affects Drupal 6.x only.

Users can view files attached to content which they do not otherwise have access to. This bug affects Drupal 5.x only.

If the core upload module is not enabled, your site will not be affected.

Access rules bypass

A deficiency in the user module allowed users who had been blocked by access rules to continue logging into the site under certain conditions.

If you do not use the 'access rules' functionality in core, your site will not be affected.

This bug affects both Drupal 5.x and Drupal 6.x.

BlogAPI access bypass

The BlogAPI module does not implement correct validation for certain content fields, allowing for values to be set for fields which would otherwise be inaccessible on an internal Drupal form. We have hardened these checks in BlogAPI module for this release, but the security team would like to re-iterate that the 'Administer content with BlogAPI' permission should only be given to trusted users.

If the core BlogAPI module is not enabled, your site will not be affected.

This bug affects both Drupal 5.x and Drupal 6.x.

Node validation bypass

A weakness in the node module API allowed for node validation to be bypassed in certain circumstances for contributed modules implementing the API. Additional checks have been added to ensure that validation is performed in all cases. This vulnerability only affects sites using one of a very small number of contributed modules, all of which will continue to work correctly with the improved API. None of them were found vulnerable, so our correction is a preventative measure.

This bug affects Drupal 5.x only.

Versions affected
  • Drupal 5.x before version 5.11
  • Drupal 6.x before version 6.5
Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.11.
  • If you are running Drupal 6.x then upgrade to Drupal 6.5.

Note: the settings.php, robots.txt and .htaccess files have not changed and can be left as they are if upgrading from the current version of Drupal.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

Reported by

Names marked with asterisk are members of the Drupal security team.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 5.xDrupal 6.x

SA-2008-047 - Drupal core - Multiple vulnerabilities

Wed, 08/13/2008 - 7:27pm
  • Advisory ID: DRUPAL-SA-2008-047
  • Project: Drupal core
  • Version: 5.x, 6.x
  • Date: 2008-August-13
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description

Multiple vulnerabilities and weaknesses were discovered in Drupal.

Cross site scripting

A bug in the output filter employed by Drupal makes it possible for malicious users to insert script code into pages (cross site scripting or XSS).

A bug in the private filesystem trusts the MIME type sent by the browser, enabling malicious users with the ability to upload files to execute cross site scripting attacks.

These bugs affects both Drupal 5.x and 6.x.

Arbitrary file uploads via BlogAPI

The BlogAPI module does not validate the extension of uploaded files, enabling users with the "administer content with blog api" permission to upload harmful files.

This bug affects both Drupal 5.x and 6.x.

Cross site request forgeries

Drupal forms contain a token to protect against cross site request forgeries (CSRF). The token may not be validated properly for cached forms and forms containing AHAH elements.

This bug affects Drupal 6.x.

User access rules can be added or deleted upon accessing a properly formatted URL, making such modifications vulnerable to cross site request forgeries (CSRF). This may lead to unintended addition or deletion of an access rule when a sufficiently privileged user visits a page or site created by a malicious person.

This bug affects both Drupal 5.x and 6.x.

Various Upload module vulnerabilities

The Upload module in Drupal 6 contains privilege escalation vulnerabilities for users with the "upload files" permission. This can lead to users being able to edit nodes which they are normally not allowed to, delete any file to which the webserver has sufficient rights, and download attachments of nodes to which they have no access. Harmful files may also be uploaded via cross site request forgeries (CSRF).

These bugs affect Drupal 6.x.

Versions affected
  • Drupal 5.x before version 5.10
  • Drupal 6.x before version 6.4
Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.10.
  • If you are running Drupal 6.x then upgrade to Drupal 6.4.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

Reported by

* Members of the Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 5.xDrupal 6.x

SA-2008-046 - Drupal core - Session fixation

Wed, 07/23/2008 - 3:58pm
  • Advisory ID: DRUPAL-SA-2008-046
  • Project: Drupal core
  • Version: 5.x
  • Date: 2008-July-23
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Session fixation
Description

When contributed modules such as Workflow NG terminate the current request during a login event, user module is not able to regenerate the user's session. This may lead to a session fixation attack, when a malicious user is able to control another users' initial session ID. As the session is not regenerated, the malicious user may use the 'fixed' session ID after the victim authenticates and will have the same access.

The advisory SA-2008-044 claims that this session fixation vulnerability was fixed in Drupal 5.8 and 6.3. Unfortunately, Drupal 5.8 still contains this vulnerability.

Versions affected
  • Drupal 5.x before version 5.9
Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.9.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

Reported by
  • The session fixation issue was originally reported by Erich C. Beyrent. Its continued existance in 5.8 was reported by dmnd.
Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 5.x

SA-2008-044 - Drupal core - Multiple vulnerabilities

Wed, 07/09/2008 - 5:24pm
  • Advisory ID: DRUPAL-SA-2008-044
  • Project: Drupal core
  • Version: 5x, 6.x
  • Date: 2008-July-9
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description

Multiple vulnerabities and weaknesses were discovered in Drupal. Neither of these are readily exploitable.

Cross site scripting

Free tagging taxonomy terms can be used to insert arbitrary script and HTML code (cross site scripting or XSS) on node preview pages. A successful exploit requires that the victim selects a term containing script code and chooses to preview the node. This issue affects Drupal 6.x only.

Some values from OpenID providers are output without being properly escaped, allowing malicious providers to insert arbitrary script and HTML code (XSS) into user pages. This issue affects Drupal 6.x only.

filter_xss_admin() has been hardened to prevent use of the object HTML tag in administrator input.

Cross site request forgeries

Translated strings (5.x, 6.x) and OpenID identities (6.x) are immediately deleted upon accessing a properly formatted URL, making such deletion vulnerable to cross site request forgeries (CSRF). This may lead to unintended deletion of translated strings or OpenID identities when a sufficiently privileged user visits a page or site created by a malicious person.

Session fixation

When contributed modules such as Workflow NG terminate the current request during a login event, user module is not able to regenerate the user's session. This may lead to a session fixation attack, when a malicious user is able to control another users' initial session ID. As the session is not regenerated, the malicious user may use the 'fixed' session ID after the victim authenticates and will have the same access. This issue affects both Drupal 5 and Drupal 6.

SQL injection

Schema API uses an inappropriate placeholder for 'numeric' fields enabling SQL injection when user-supplied data is used for such fields.This issue affects Drupal 6 only.

Versions affected
  • Drupal 5.x before version 5.8
  • Drupal 6.x before version 6.3
Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.8.
  • If you are running Drupal 6.x then upgrade to Drupal 6.3.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

Note for site administrators

Drupal 5.8 and 6.3 no longer support the use of the object HTML tag in many text supplied by administrators. Such texts include the mission statement and taxonomy term descriptions.

Notes for developers

Drupal 6.3 has the new db_query placeholder %n for numeric fields (DECIMAL, NUMERIC). Custom queries should be updated to reflect this change.

Reported by
  • The session fixation issue was reported by Erich C. Beyrent.
  • The Taxonomy term XSS issue was reported by John Morahan.
  • The OpenID CSRF issue was reported by Peter Wolanin (Drupal security team).
  • The OpenID XSS issue was reported by Neil Drumm (Drupal security team).
  • The locale CSRF issue and the numeric SQL injection issue were reported by Heine Deelstra (Drupal security team).
Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 5.xDrupal 6.x

SA-2008-026 - Drupal core - Access bypass

Wed, 04/09/2008 - 4:25pm
  • Advisory ID: DRUPAL-SA-2008-026
  • Project: Drupal core
  • Version: 6.x
  • Date: 2008-April-09
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

The menu system routes page requests to appropriate handlers. It also determines whether a user has access to pages based on several criteria, such as permissions assigned to a role. Drupal 6 features an entirely revised menu system, including changes to the way access is dealt with, which if not properly understood by developers can lead to vulnerabilities. This security release provides a more secure access behaviour by default, and fixes incorrectly set menu items in Drupal core.

Access to some pages was not appropriately controlled:

  • Any user can edit profile pages of other users.
  • Users who can view administration pages are able to edit content types.
  • The tracker and blog pages expose information to users without the "access content" permission.
Versions affected
  • Drupal 6.x before version 6.2.
Solution

Install the latest version:

  • If you are running Drupal 6.x then upgrade to Drupal 6.2.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patch fixes incorrectly set menu items in Drupal core, but does not contain the menu API change which would provide secure defaults. This patch is a temporary solution to be used if modules are required which are still incompatible with the new API changes.

If you used SA-2008-026-6.1.patch or SA-2008-026-6.1b.patch: the patch was incorrect. Please reverse the patch, such as patch -R, and apply the current patch.

Important notes

It is essential to follow this process when updating:

  • First make sure that you are logged in as user number 1 or that your site's settings.php has $update_free_access = TRUE; so that anyone can access the update.php script while you update the site. We suggest you log in as user 1 because you might have difficulties in gaining write access to your settings file.
  • Turn your site into offline mode.
  • Then, and only then replace your Drupal source code files with the new ones from Drupal 6.2.
  • Run update.php.
  • Turn your site back to online mode.
  • If you edited your site's settings.php, make sure to set $update_free_access = FALSE;

If you do not follow the above procedure, and just replace the source files, any attempt to access the site will be greeted with the message: "Fatal error: Call to undefined function user_uid_optional_to_arg() in includes/menu.inc on line 594" and you will have no way to set the site to offline mode on the web interface until you get through update.php.

Contributed modules may require an update to work properly with Drupal 6.2. Failing to update modules will lead to some pages of the affected modules not being accessible.

Note for Module developers

Drupal 6.2 contains two API changes.

  • Menu access callbacks are no longer inherited from parent items.
  • %user_current has been renamed to %user_uid_optional.

Additional information can be found in Updating your 6.x module to work with 6.2.

Reported by
  • The tracker and profile access issue were respectively reported by Peter Wolanin and Greg Knaddison of the Drupal security team.
Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 6.x

SA-2008-018 - Drupal core - Cross site scripting

Wed, 02/27/2008 - 2:23pm
  • Advisory ID: DRUPAL-SA-2008-018
  • Project: Drupal core
  • Version: 6.0
  • Date: 2008-February-27
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Multiple cross site scripting vulnerabilities
Description

Titles are not escaped prior to being displayed on content edit forms, allowing users to inject arbitrary HTML and script code into these pages.

The Drupal.checkPlain function, used to escape text in ECMAScript, contains a bug which causes it to escape only the first instance of a character, allowing users to inject arbitrary HTML and script code in certain pages.

Wikipedia has more information about cross site scripting (XSS).

Versions affected
  • Drupal 6.x before version 6.1.
Solution

Install the latest version:

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by
  • Steve McKenzie discovered the ECMAScript issue
  • The Drupal security team
Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 6.x

SA-2008-007 - Drupal core - Cross site scripting (register_globals)

Thu, 01/10/2008 - 4:03pm
  • Advisory ID: DRUPAL-SA-2008-007
  • Project: Drupal core
  • Version: 4.7.x, 5.x
  • Date: 2008-January-10
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting when register_globals is enabled.
Description

When theme .tpl.php files are accessible via the web and the PHP setting register_globals is set to enabled, anonymous users are able to execute cross site scripting attacks via specially crafted links.

Drupals .htaccess attempts to set register_globals to disabled and also prevents access to .tpl.php files. Only when both these measures are not effective and your PHP interpreter is configured with register_globals set to enabled, will this issue affect you.

Versions affected
  • Drupal 4.7.x
  • Drupal 5.x
Solutions
  1. Disable register_globals. Please refer to the PHP documentation on information how to configure PHP.
  2. Ensure .tpl.php files are not accessible via the web.

Drupal 4.7.11 and 5.6 will present a warning on the administration page when register_globals is enabled. Drupal 5.6 will refuse installation on an insecurely configured server. Existing sites will continue to work.

Reported by

Ultra Security Research.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 4.7.xDrupal 5.x

SA-2008-006 - Drupal core - Cross site scripting (UTF8)

Thu, 01/10/2008 - 4:02pm
  • Advisory ID: DRUPAL-SA-2008-006
  • Project: Drupal core
  • Version: 4.7.x, 5.x
  • Date: 2008-January-10
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting
Description

When outputting plaintext Drupal strips potentially dangerous HTML tags and attributes from HTML, and escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.

Certain byte sequences that are invalid in the UTF8 specification are not handled properly by Internet Explorer 6 and may lead it to see a multibyte start character where none is present. Internet Explorer 6 then consumes a number of subsequent UTF-8 characters. This may lead to unsafe attributes that were outside a tag for the filter to appear inside a tag for Internet Explorer 6. This behaviour can then be used to insert and execute javascript in the context of the website.

Wikipedia has more information about cross site scripting (XSS).

Versions affected
  • Drupal 4.7.x before version 4.7.11.
  • Drupal 5.x before version 5.6.
Solution

Install the latest version:

  • If you are running Drupal 4.7.x then upgrade to Drupal 4.7.11.
  • If you are running Drupal 5.x then upgrade to Drupal 5.6.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Important note

Drupal 4.7.11 and 5.6 now require PHP 4.3.5 or higher as the minimum version.

Use of modules that purposely insert bytes that are invalid UTF-8 characters, such as GeSHi Filter and Code Filter will cause any text using the filter to not be displayed. Disable the modules until a solution has been found.

Reported by

The vulnerability was discovered during an audit of Drupal core by Stefan Esser, Mayflower GmbH and Zend.

The Drupal security team wants to thank Die Zeit, who commissioned the audit, for sharing the results.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 4.7.xDrupal 5.x

SA-2008-005 - Drupal core - Cross site request forgery

Thu, 01/10/2008 - 4:00pm
  • Advisory ID: DRUPAL-SA-2008-005
  • Project: Drupal core
  • Version: 4.7.x, 5.x
  • Date: 2008-January-10
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross site request forgery
Description

The aggregator module fetches items from RSS feeds and makes them available on the site. The module provides an option to remove items from a particular feed. This has been implemented as a simple GET request and is therefore vulnerable to cross site request forgeries. For example: Should a privileged user view a page containing an <img> tag with a specially constructed src pointing to a remove items URL, the items would be removed.

Versions affected
  • Drupal 4.7.x before version 4.7.11.
  • Drupal 5.x before version 5.6.
Solution

Install the latest version:

  • If you are running Drupal 4.7.x then upgrade to Drupal 4.7.11.
  • If you are running Drupal 5.x then upgrade to Drupal 5.6.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by

The Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 4.7.xDrupal 5.x

SA-2007-031 - Drupal core - SQL Injection possible when certain contributed modules are enabled

Wed, 12/05/2007 - 3:38pm
  • Advisory ID: DRUPAL-SA-2007-031
  • Project: Drupal core
  • Version: 4.7.x, 5.x
  • Date: 2007-December-05
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: SQL Injection
Description

The function taxonomy_select_nodes() directly injects variables into SQL queries instead of using placeholders. While taxonomy module itself validates the input passed to taxonomy_select_nodes(), this is a weakness in Drupal core. Several contributed modules, such as taxonomy_menu, ajaxLoader, and ubrowser, directly pass user input to taxonomy_select_nodes(), enabling SQL injection attacks by anonymous users.

To learn more about SQL injection, please read this article.

Versions affected
  • Drupal 4.7.x before Drupal 4.7.9
  • Drupal 5.x before Drupal 5.4
Solution

Install the latest version:

  • If you are running Drupal 4.7.x then upgrade to Drupal 4.7.9.
  • If you are running Drupal 5.x then upgrade to Drupal 5.4.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by
  • Nadid Skywalker
  • Ivan Sergio Borgonovo
Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 4.7.xDrupal 5.x

SA-2007-030 - Drupal Core - API handling of unpublished comment.

Wed, 10/17/2007 - 3:50pm
  • Advisory ID: DRUPAL-SA-2007-030
  • Project: Drupal core
  • Version: 4.7.x, 5.x
  • Date: 2007-October-17
  • Security risk: Not critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

The publication status of comments is not passed during the hook_comments API operation, causing various modules that rely on the publication status (such as Organic groups, or Subscriptions) to mail out unpublished comments.

Versions affected
  • Drupal 4.7.x before version 4.7.8
  • Drupal 5.x before version 5.3.
Solution

Install the latest version:

  • If you are running Drupal 4.7.x then upgrade to Drupal 4.7.8.
  • If you are running Drupal 5.x then upgrade to Drupal 5.3.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by

The Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 4.7.xDrupal 5.x

SA-2007-029 - Drupal core - User deletion cross site request forgery

Wed, 10/17/2007 - 3:40pm
  • Advisory ID: DRUPAL-SA-2007-029
  • Project: Drupal core
  • Version: 5.x
  • Date: 2007-October-17
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross site request forgery
Description

The Drupal Forms API protects against cross site request forgeries (CSRF), where a malicous site can cause a user to unintentionally submit a form to a site where he is authenticated. The user deletion form does not follow the standard Forms API submission model and is therefore not protected against this type of attack. A CSRF attack may result in the deletion of users.

Versions affected
  • Drupal 5.x before version 5.3.
Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.3.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by

This vulnerability was discovered during an audit of Drupal 5.1 by Stefan Esser and Mayflower GmbH. This audit was commissioned by die Zeit Online GmbH.

We wish to thank die Zeit Online for sharing the results with us.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 5.x

Pages