Core Security Advisories

Subscribe to Core Security Advisories feed
Updated: 2 hours 27 min ago

SA-2007-026 - Drupal Core - Cross site scripting via uploads

Wed, 10/17/2007 - 2:38pm
  • Advisory ID: DRUPAL-SA-2007-026
  • Project: Drupal core
  • Version: 4.7.x, 5.x
  • Date: 2007-October-17
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting
Description

The allowed extension list of the core Upload module contains the extension HTML by default. Such files can be used to execute arbitrary script code in the context of the affected site when a user views the file.

Revoking upload permissions or removing the .html extension from the allowed extension list will stop uploads of malicious files. but will do nothing to protect your site against files that are already present. Carefully inspect the file system path for any HTML files. We recommend you remove any HTML file you did not update yourself. You should look for , CSS includes, Javascript includes, and onerror="" attributes if you need to review files individually.

Wikipedia has more information about cross site scripting (XSS).

Important note: Configuration change needed

Installing the upgrade or using the patch will not remove the .html extensions from an already configured upload module. Visit Administer » Site Configuration » File uploads (admin/settings/uploads) on Drupal 5.x or administer » settings » upload (admin/settings/upload) on Drupal 4.7.x to remove html from the allowed extensions lists.

The steps above will stop uploads of malicious files, but will do nothing to protect your site against files that have already been uploaded. Make sure to carefully inspect the file system path for any HTML files.

Versions affected
  • Drupal 4.7.x before version 4.7.8.
  • Drupal 5.x before version 5.3.
Solution

Install the latest version:

  • If you are running Drupal 4.7.x then upgrade to Drupal 4.7.8.
  • If you are running Drupal 5.x then upgrade to Drupal 5.3.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by

The Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 4.7.xDrupal 5.x

SA-2007-025 - Drupal core - Arbitrary code execution via installer.

Wed, 10/17/2007 - 2:33pm
  • Advisory ID: DRUPAL-SA-2007-025
  • Project: Drupal core
  • Version: 5.x
  • Date: 2007-October-17
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Arbitrary code execution
Description

The Drupal installer allows any visitor to provide credentials for a database when the site's own database is not reachable. This allows attackers to run arbitrary code on the site's server.

An immediate workaround is the removal of the file install.php in the Drupal root directory.

Versions affected
  • Drupal 5.x before Drupal 5.3
Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.3.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by

Mark Fallon
Wolfgang Ziegler

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 5.x

SA-2007-024 - Drupal Core - HTTP response splitting

Wed, 10/17/2007 - 2:31pm
  • Advisory ID: DRUPAL-SA-2007-024
  • Project: Drupal core
  • Version: 4.7.x, 5.x
  • Date: 2007-October-17
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: HTTP response splitting
Description

In some circumstances Drupal allows user-supplied data to become part of response headers. As this user-supplied data is not always properly escaped, this can be exploited by malicious users to execute HTTP response splitting attacks which may lead to a variety of issues, among them cache poisoning, cross-user defacement and injection of arbitrary code.

Versions affected
  • Drupal 4.7.x before version 4.7.8.
  • Drupal 5.x before version 5.3.
Solution

Install the latest version:

  • If you are running Drupal 4.7.x then upgrade to Drupal 4.7.8.
  • If you are running Drupal 5.x then upgrade to Drupal 5.3.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by

The Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 4.7.xDrupal 5.x

Drupal core - Multiple cross site scripting vulnerabilities

Thu, 07/26/2007 - 2:59pm
  • Advisory ID: DRUPAL-SA-2007-018
  • Project: Drupal core
  • Version: 4.7.x, 5.x
  • Date: 2007-July-26
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Multiple cross site scripting vulnerabilities
Description

Some server variables are not escaped consistently. When a malicious user is able to entice a victim to visit a specially crafted link or webpage, arbitrary HTML and script code can be injected and executed in the context of the victim's session on the targeted website.

Custom content type names are not escaped consistently. A malicious user with the 'administer content types' permission would be able to inject and execute arbitrary HTML and script code on the website.
Revoking the 'administer content types' permission provides an immediate workaround.

Wikipedia has more information about cross site scripting (XSS).

Versions affected
  • Drupal 4.7.x before version 4.7.7.
  • Drupal 5.x before version 5.2.
Solution

Install the latest version:

  • If you are running Drupal 4.7.x then upgrade to Drupal 4.7.7.
  • If you are running Drupal 5.x then upgrade to Drupal 5.2.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Important note

settings.php is one of the files containing vulnerable code. It is therefore critical to replace all of your sites' settings.php files in subdirectories of sites with the new one from the archive. After you have replaced the files, make sure to edit the value of the $db_url variable to be identical to the value in your old settings.php. This is the information that determines how Drupal connects to a database.

Reported by
  • The server variables issue was reported by David Caylor.
  • Content type naming issues were reported by Karthik.
Thanks

The security team wishes to thank Dave, Morten Wulff, Brenda Wallace, Fernando Silva, Gerhard Killesreiter, Brandon Bergren, Bart Jansens and Neil Drumm for technical assistance.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 4.7.xDrupal 5.x

Drupal core - Cross site request forgeries

Thu, 07/26/2007 - 2:58pm
  • Advisory ID: DRUPAL-SA-2007-017
  • Project: Drupal core
  • Version: 5.x
  • Date: 2007-July-26
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Multiple cross site request forgeries
Description

Several parts in Drupal core are not protected against cross site request forgeries due to inproper use of the Forms API, or by taking action solely on GET requests. Malicious users are able to delete comments and content revisions and disable menu items by enticing a privileged users to visit certain URLs while the victim is logged-in to the targeted site.

Versions affected
  • Drupal 5.x before version 5.2.
Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.2.

Drupal 4.7.x is not affected.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by
  • Konstantin Käfer reported the menu issue.
  • The Drupal security team.
Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 5.x

DRUPAL-SA-2007-005 - Drupal core - Arbitrary code execution

Mon, 01/29/2007 - 2:11pm
  • Advisory ID: DRUPAL-SA-2007-005
  • Project: Drupal core
  • Version: 4.7.x, 5.x
  • Date: 2007-Jan-29
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Arbitrary code execution
Description

Previews on comments were not passed through normal form validation routines, enabling users with the 'post comments' permission and access to more than one input filter to execute arbitrary code. By default, anonymous and authenticated users have access to only one input format.

Immediate workarounds include: disabling the comment module, revoking the 'post comments' permission for all users or limiting access to one input format.

Versions affected
  • Drupal 4.7.x before version 4.7.6.
  • Drupal 5.x before version 5.1.
Solution

Install the latest version:

  • If you are running Drupal 4.7.x then upgrade to Drupal 4.7.6.
  • If you are running Drupal 5.0 then upgrade to Drupal 5.1.
Reported by

The Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: Drupal 4.7.xDrupal 5.x

Drupal core - Denial of service

Tue, 12/19/2006 - 10:53am
  • Advisory ID: DRUPAL-SA-2007-002.
  • Project: Drupal Core.
  • Version: 4.6, 4.7
  • Date: 2007-Jan-05.
  • Security risk: Less critical.
  • Exploitable from: Remote.
  • Vulnerability: Denial of service.
Description

The way page caching was implemented allows a denial of service attack. An attacker has to have the ability to post content on the site. He or she would then be able to poison the page cache, so that it returns cached 404 page not found errors for existing pages.

If the page cache is not enabled, your site is not vulnerable. The vulnerability only affects sites running on top of MySQL.

Versions affected
  • Drupal 4.6.x versions before Drupal 4.6.11.
  • Drupal 4.7.x versions before Drupal 4.7.5.
Solution Reported by

The Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal core - Cross site scripting

Tue, 12/19/2006 - 10:43am
  • Advisory ID: DRUPAL-SA-2007-001.
  • Project: Drupal Core.
  • Version: 4.6, 4.7.
  • Date: 2007-Jan-05.
  • Security risk: Less critical.
  • Exploitable from: Remote.
  • Vulnerability: Cross site scripting.
Description

A few arguments passed via URLs are not properly sanitized before display. When an attacker is able to entice an administrator to follow a specially crafted link, arbitrary HTML and script code can be injected and executed in the victim's session. Such an attack may lead to administrator access if certain conditions are met. Learn more about XSS on Wikipedia.

Versions affected
  • Drupal 4.6.x versions before Drupal 4.6.11.
  • Drupal 4.7.x versions before Drupal 4.7.5.
Solution Reported by

Anonymous via JPCERT.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Pages