[Security-news] SA-CORE-2009-007 - Drupal core - Multiple vulnerabilities
security-news at drupal.org
security-news at drupal.org
Wed Jul 1 21:25:46 UTC 2009
* Advisory ID: DRUPAL-SA-CORE-2009-007
* Project: Drupal core
* Version: 5.x, 6.x
* Date: 2009-July-1
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
Multiple vulnerabilities and weaknesses were discovered in Drupal.
.... Cross-site scripting
The Forum module does not correctly handle certain arguments obtained from
the URL. By enticing a suitably privileged user to visit a specially crafted
URL, a malicious user is able to insert arbitrary HTML and script code into
forum pages. Such a cross-site scripting attack may lead to the malicious
user gaining administrative access. Wikipedia has more information about
cross-site scripting [1] (XSS). This issue affects Drupal 6.x only.
.... Input format access bypass
User signatures have no separate input format, they use the format of the
comment with which they are displayed. A user will no longer be able to edit
a comment when an administrator changes the comment's input format to a
format that is not accessible to the user. However they will still be able to
modify their signature, which will then be processed by the new input format.
If the new format is very permissive, via their signature, the user may be
able to insert arbitrary HTML and script code into pages or, when the PHP
filter is enabled for the new format, execute PHP code. This issue affects
Drupal 6.x only.
.... Password leaked in URL
When an anonymous user fails to login due to mistyping his username or
password, and the page he is on contains a sortable table, the (incorrect)
username and password are included in links on the table. If the user visits
these links the password may then be leaked to external sites via the HTTP
referer. In addition, if the anonymous user is enticed to visit the site via
a specially crafted URL while the Drupal page cache is enabled, a malicious
user might be able to retrieve the (incorrect) username and password from the
page cache. This issue affects both Drupal 5.x and Drupal 6.x
-------- VERSIONS AFFECTED
---------------------------------------------------
* Drupal 5.x before version 5.19.
* Drupal 6.x before version 6.13.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you are running Drupal 6.x then upgrade to Drupal 6.13 [2].
* If you are running Drupal 5.x then upgrade to Drupal 5.19 [3].
If you are unable to upgrade immediately, you can apply a patch to secure
your installation until you are able to do a proper upgrade. Theses patches
fix the security vulnerability, but do not contain other fixes which were
released in Drupal 5.19 or Drupal 6.13.
* To patch Drupal 6.12 use SA-CORE-2009-007-6.12.patch [4].
* To patch Drupal 5.18 use SA-CORE-2009-007-5.18.patch [5].
-------- REPORTED BY
---------------------------------------------------------
The forum XSS issue was independently reported by Mark Piper of Catalyst IT
Ltd, Sven Herrmann and Brandon Knight. The user signature issue was reported
by Gerhard Killesreiter [6] of the Drupal security team. The password in URL
issue was reported by Sumit Datta [7].
-------- FIXED BY
------------------------------------------------------------
The forum XSS issue was fixed by Heine Deelstra [8], Peter Wolanin [9] and
Charlie Gordon [10]. The user signature issue was fixed by David Rothstein
[11], Charlie Gordon [12], Heine Deelstra [13] and Gábor Hojtsy [14]. The
password in URL issue was fixed by Damien Tournoud [15] and Bart Jansens
[16].
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://ftp.drupal.org/files/projects/drupal-6.13.tar.gz
[3] http://ftp.drupal.org/files/projects/drupal-5.19.tar.gz
[4] http://drupal.org/files/sa-core-2009-007/SA-CORE-2009-007-6.12.patch
[5] http://drupal.org/files/sa-core-2009-007/SA-CORE-2009-007-5.18.patch
[6] http://drupal.org/user/227
[7] http://drupal.org/user/59022
[8] http://drupal.org/user/17943
[9] http://drupal.org/user/49851
[10] http://drupal.org/user/157412
[11] http://drupal.org/user/124982
[12] http://drupal.org/user/157412
[13] http://drupal.org/user/17943
[14] http://drupal.org/user/4166
[15] http://drupal.org/user/22211
[16] http://drupal.org/user/5330
More information about the Security-news
mailing list