Drupal core – Multiple cross site scripting vulnerabilities

  • Advisory ID: DRUPAL-SA-2007-018
  • Project: Drupal core
  • Version: 4.7.x, 5.x
  • Date: 2007-July-26
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Multiple cross site scripting vulnerabilities

Description

Some server variables are not escaped consistently. When a malicious user is able to entice a victim to visit a specially crafted link or webpage, arbitrary HTML and script code can be injected and executed in the context of the victim’s session on the targeted website.

Custom content type names are not escaped consistently. A malicious user with the ‘administer content types’ permission would be able to inject and execute arbitrary HTML and script code on the website.
Revoking the ‘administer content types’ permission provides an immediate workaround.

Wikipedia has more information about cross site scripting (XSS).

Versions affected

  • Drupal 4.7.x before version 4.7.7.
  • Drupal 5.x before version 5.2.

Solution

Install the latest version:

  • If you are running Drupal 4.7.x then upgrade to Drupal 4.7.7.
  • If you are running Drupal 5.x then upgrade to Drupal 5.2.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Important note

settings.php is one of the files containing vulnerable code. It is therefore critical to replace all of your sites’ settings.php files in subdirectories of sites with the new one from the archive. After you have replaced the files, make sure to edit the value of the $db_url variable to be identical to the value in your old settings.php. This is the information that determines how Drupal connects to a database.

Reported by

  • The server variables issue was reported by David Caylor.
  • Content type naming issues were reported by Karthik.

Thanks

The security team wishes to thank Dave, Morten Wulff, Brenda Wallace, Fernando Silva, Gerhard Killesreiter, Brandon Bergren, Bart Jansens and Neil Drumm for technical assistance.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: 

Drupal core – Cross site request forgeries

  • Advisory ID: DRUPAL-SA-2007-017
  • Project: Drupal core
  • Version: 5.x
  • Date: 2007-July-26
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Multiple cross site request forgeries

Description

Several parts in Drupal core are not protected against cross site request forgeries due to inproper use of the Forms API, or by taking action solely on GET requests. Malicious users are able to delete comments and content revisions and disable menu items by enticing a privileged users to visit certain URLs while the victim is logged-in to the targeted site.

Versions affected

  • Drupal 5.x before version 5.2.

Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.2.

Drupal 4.7.x is not affected.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by

  • Konstantin Käfer reported the menu issue.
  • The Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: 

CVE-2007-3947

request.c in lighttpd 1.4.15 allows remote attackers to cause a denial of service (daemon crash) by sending an HTTP request with duplicate headers, as demonstrated by a request containing two Location header lines, which results in a segmentation fault. (CVSS:5.8) (Last Update:2012-10-30)

CVE-2007-3950

lighttpd 1.4.15, when run on 32 bit platforms, allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving the use of incompatible format specifiers in certain debugging messages in the (1) mod_scgi, (2) mod_fastcgi, and (3) mod_webdav modules. (CVSS:4.3) (Last Update:2008-09-05)

CVE-2007-3948

connections.c in lighttpd before 1.4.16 might accept more connections than the configured maximum, which allows remote attackers to cause a denial of service (failed assertion) via a large number of connection attempts. (CVSS:4.3) (Last Update:2012-10-30)

CVE-2007-3946

mod_auth (http_auth.c) in lighttpd before 1.4.16 allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving (1) a memory leak, (2) use of md5-sess without a cnonce, (3) base64 encoded strings, and (4) trailing whitespace in the Auth-Digest header. (CVSS:6.4) (Last Update:2012-10-30)