Security-news February 2009

security-news@drupal.org

1 participants
4 discussions

SA-CONTRIB-2009-008 - Taxonomy Theme - Cross site scripting
by security-news＠drupal.org 28 Feb '09

28 Feb '09

* Advisory ID: DRUPAL-SA-CONTRIB-2009-008 * Project: Taxonomy Theme (third-party module) * Version: 5.x * Date: 2009 February 28 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross-site scripting (XSS) -------- DESCRIPTION --------------------------------------------------------- The Taxonomy Theme module allows a website adminstrator to change the theme of a given content item based on taxonomy, vocabulary or content type. It does not properly sanitize user-supplied data on a number of places. This allows users with the "administer taxonomy" permission, or, when tagging is enabled, the ability to submit content, to insert arbitrary HTML and scripts into certain pages. Such a cross site scripting [1] (XSS) attack against sufficiently privileged users may lead to adminstrator access to the site. -------- VERSIONS AFFECTED --------------------------------------------------- * Versions of Taxonomy Theme for Drupal 5.x prior to 5.x-1.2 Drupal core is not affected. If you do not use the contributed Taxonomy Theme module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Taxonomy Theme for Drupal 5.x upgrade to Taxonomy Theme 5.x-1.2 [2] See also the Taxonomy Theme project page [3]. -------- REPORTED BY --------------------------------------------------------- This vulnerability was publicly disclosed. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/386942 [3] http://drupal.org/project/taxonomy_theme

1 0

SA-CORE-2009-004 - Local file inclusion on Windows
by security-news＠drupal.org 25 Feb '09

25 Feb '09

* Advisory ID: DRUPAL-SA-CORE-2009-004 * Project: Drupal core * Versions: 5.x * Date: 2009-February-25 * Security risk: Highly Critical * Exploitable from: Remote * Vulnerability: Local file inclusion on Windows * Reference: SA-CORE-2009-003 [1] (6.x) -------- DESCRIPTION --------------------------------------------------------- This vulnerability exists on Windows, regardless of the type of webserver (Apache, IIS) used. The Drupal theme system takes URL arguments into account when selecting a template file to use for page rendering. While doing so, it doesn't take into account how Windows arrives at a canonicalized path. This enables malicious users to include files, readable by the webserver and located on the same volume as Drupal, and to execute PHP contained within those files. For example: If a site has uploads enabled, an attacker may upload a file containing PHP code and cause it to be included on a subsequent request by manipulating the URL used to access the site. *Important note*: An attacker may also be able to inject PHP code into webserver logs and subsequently include the log file, leading to code execution even if no upload functionality is enabled on the site. -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal 5.x before version 5.16 -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you are running Drupal 5.x then upgrade to Drupal 5.16 [2]. If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patch fixes the security vulnerability, but does not contain other fixes which were released in Drupal 5.16. * To patch Drupal 5.15 use SA-CORE-2009-004-5.15.patch [3]. -------- REPORTED BY --------------------------------------------------------- Bogdan Calin (www.acunetix.com) -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/node/383724 [2] http://ftp.drupal.org/files/projects/drupal-5.16.tar.gz [3] http://drupal.org/files/sa-core-2009-004/SA-CORE-2009-004-5.15.patch

1 0

SA-CORE-2009-003 - Local file inclusion on Windows
by security-news＠drupal.org 25 Feb '09

25 Feb '09

* Advisory ID: DRUPAL-SA-CORE-2009-003 * Project: Drupal core * Versions: 6.x * Date: 2009-February-25 * Security risk: Highly Critical * Exploitable from: Remote * Vulnerability: Local file inclusion on Windows -------- DESCRIPTION --------------------------------------------------------- This vulnerability exists on Windows, regardless of the type of webserver (Apache, IIS) used. The Drupal theme system takes URL arguments into account when selecting a template file to use for page rendering. While doing so, it doesn't take into account how Windows arrives at a canonicalized path. This enables malicious users to include files, readable by the webserver and located on the same volume as Drupal, and to execute PHP contained within those files. For example: If a site has uploads enabled, an attacker may upload a file containing PHP code and cause it to be included on a subsequent request by manipulating the URL used to access the site. *Important note*: An attacker may also be able to inject PHP code into webserver logs and subsequently include the log file, leading to code execution even if no upload functionality is enabled on the site. -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal 6.x before version 6.10 -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you are running Drupal 6.x then upgrade to Drupal 6.10 [1]. If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patch fixes the security vulnerability, but does not contain other fixes which were released in Drupal 6.10. * To patch Drupal 6.9 use SA-CORE-2009-003-6.9.patch [2]. -------- REPORTED BY --------------------------------------------------------- Bogdan Calin (www.acunetix.com) -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://ftp.drupal.org/files/projects/drupal-6.10.tar.gz [2] http://drupal.org/files/sa-core-2009-003/SA-CORE-2009-003-6.9.patch

1 0

Notification of mailing list testing
by security-news＠drupal.org 25 Feb '09

25 Feb '09

Dear Security Newsletter subscribers, We have recently performed testing on the subscription infrastructure. As a result you might have received a message that you were unsubscribed from the security newsletter. There is no action required on your part, you are still subscribed. Many people tried to verify their subscription status which overloaded our mail servers. Therefore the newsletter subscriptions page is temporarily disabled. Receiving this mail is proof you are on the security mailing list, so no need to check. Sending these messages was unintentional. We apologize for the inconvenience. Regards, The Drupal.org infrastructure team

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news February 2009