[Security-news] SA-CORE-2010-001 - Drupal core - Multiple vulnerabilities

security-news at drupal.org security-news at drupal.org
Thu Mar 4 00:41:15 UTC 2010


  * Advisory ID: DRUPAL-SA-CORE-2010-001
  * Project: Drupal core
  * Version: 5.x, 6.x
  * Date: 2010-March-03
  * Security risk: Critical
  * Exploitable from: Remote
  * Vulnerability: Multiple vulnerabilities

-------- DESCRIPTION  
---------------------------------------------------------

Multiple vulnerabilities and weaknesses were discovered in Drupal.
.... Installation cross site scripting

A user-supplied value is directly output during installation allowing a
malicious user to craft a URL and perform a cross-site scripting attack. The
exploit can only be conducted on sites not yet installed. This issue affects
Drupal 6.x only.
.... Open redirection

The API function drupal_goto() is susceptible to a phishing attack. An
attacker could formulate a redirect in a way that gets the Drupal site to
send the user to an arbitrarily provided URL. No user submitted data will be
sent to that URL. This issue affects Drupal 5.x and 6.x.
.... Locale module cross site scripting

Locale module and dependent contributed modules do not sanitize the display
of language codes, native and English language names properly. While these
usually come from a preselected list, arbitrary administrator input is
allowed. This vulnerability is mitigated by the fact that the attacker must
have a role with the 'administer languages' permission. This issue affects
Drupal 5.x and 6.x.
.... Blocked user session regeneration

Under certain circumstances, a user with an open session that is blocked can
maintain his/her session on the Drupal site, despite being blocked. This
issue affects Drupal 5.x and 6.x.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Drupal 6.x before version 6.16.
  * Drupal 5.x before version 5.22.

-------- SOLUTION  
------------------------------------------------------------

Install the latest version:
  * If you are running Drupal 6.x then upgrade to Drupal 6.16 [1].
  * If you are running Drupal 5.x then upgrade to Drupal 5.22 [2].

Drupal 5 will no longer be maintained when Drupal 7 is released [3].
Upgrading to Drupal 6 [4] is recommended. If you are unable to upgrade
immediately, you can apply a patch to secure your installation until you are
able to do a proper upgrade. These patches fix the security vulnerabilities,
but do not contain other fixes which were released in Drupal 6.16 or Drupal
5.22.
  * To patch Drupal 6.15 use SA-CORE-2010-001-6.15.patch [5].
  * To patch Drupal 5.21 use SA-CORE-2010-001-5.21.patch [6].

-------- REPORTED BY  
---------------------------------------------------------

The installation cross site scripting issue was reported by David Rothstein
[7] (*). The open redirection was reported by Martin Barbella [8]. The locale
module cross site scripting was reported by Justin Klein Keane [9]. The
blocked user session regeneration issue was reported by Craig A. Hancock
[10]. (*) Member of the Drupal security team.
-------- FIXED BY  
------------------------------------------------------------

The installation cross site scripting issue was fixed by Heine Deelstra [11].
The open redirection was fixed by Gerhard Killesreiter [12] and Heine
Deelstra [13]. The locale module cross site scripting was fixed by Stéphane
Corlosquet [14], Peter Wolanin [15], Heine Deelstra [16] and Neil Drumm [17].
The blocked user session regeneration issue was fixed by Gerhard Killesreiter
[18]. All the fixes were done by members of the Drupal security team.
-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://ftp.drupal.org/files/projects/drupal-6.16.tar.gz
[2] http://ftp.drupal.org/files/projects/drupal-5.22.tar.gz
[3] http://drupal.org/node/725382
[4] http://drupal.org/upgrade
[5] http://drupal.org/files/sa-core-2010-001/SA-CORE-2010-001-6.15.patch
[6] http://drupal.org/files/sa-core-2010-001/SA-CORE-2010-001-5.21.patch
[7] http://drupal.org/user/124982
[8] http://drupal.org/user/633600
[9] http://drupal.org/user/302225
[10] http://drupal.org/user/62850
[11] http://drupal.org/user/17943
[12] http://drupal.org/user/227
[13] http://drupal.org/user/17943
[14] http://drupal.org/user/52142
[15] http://drupal.org/user/49851
[16] http://drupal.org/user/17943
[17] http://drupal.org/user/3064
[18] http://drupal.org/user/227



More information about the Security-news mailing list