[Security-news] SA-CORE-2009-004 - Local file inclusion on Windows

security-news at drupal.org security-news at drupal.org
Wed Feb 25 23:32:43 UTC 2009 

  * Advisory ID: DRUPAL-SA-CORE-2009-004
  * Project: Drupal core
  * Versions: 5.x
  * Date: 2009-February-25
  * Security risk: Highly Critical
  * Exploitable from: Remote
  * Vulnerability: Local file inclusion on Windows
  * Reference: SA-CORE-2009-003 [1] (6.x)

-------- DESCRIPTION  
---------------------------------------------------------

This vulnerability exists on Windows, regardless of the type of webserver
(Apache, IIS) used.

The Drupal theme system takes URL arguments into account when selecting a
template file to use for page rendering. While doing so, it doesn't take into
account how Windows arrives at a canonicalized path. This enables malicious
users to include files, readable by the webserver and located on the same
volume as Drupal, and to execute PHP contained within those files. For
example: If a site has uploads enabled, an attacker may upload a file
containing PHP code and cause it to be included on a subsequent request by
manipulating the URL used to access the site.

*Important note*: An attacker may also be able to inject PHP code into
webserver logs and subsequently include the log file, leading to code
execution even if no upload functionality is enabled on the site.

-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Drupal 5.x before version 5.16

-------- SOLUTION  
------------------------------------------------------------

Install the latest version:

  * If you are running Drupal 5.x then upgrade to Drupal 5.16 [2].

If you are unable to upgrade immediately, you can apply a patch to secure
your installation until you are able to do a proper upgrade. The patch fixes
the security vulnerability, but does not contain other fixes which were
released in Drupal 5.16.

  * To patch Drupal 5.15 use SA-CORE-2009-004-5.15.patch [3].

-------- REPORTED BY  
---------------------------------------------------------

Bogdan Calin (www.acunetix.com)

-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://drupal.org/node/383724
[2] http://ftp.drupal.org/files/projects/drupal-5.16.tar.gz
[3] http://drupal.org/files/sa-core-2009-004/SA-CORE-2009-004-5.15.patch

More information about the Security-news mailing list