Cross-site scripting (XSS) vulnerability in Nagios 2.x before 2.10 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts. (CVSS:4.3) (Last Update:2008-09-05)
Monthly Archives: October 2007
SA-2007-030 – Drupal Core – API handling of unpublished comment.
- Advisory ID: DRUPAL-SA-2007-030
- Project: Drupal core
- Version: 4.7.x, 5.x
- Date: 2007-October-17
- Security risk: Not critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Description
The publication status of comments is not passed during the hook_comments API operation, causing various modules that rely on the publication status (such as Organic groups, or Subscriptions) to mail out unpublished comments.
Versions affected
- Drupal 4.7.x before version 4.7.8
- Drupal 5.x before version 5.3.
Solution
Install the latest version:
- If you are running Drupal 4.7.x then upgrade to Drupal 4.7.8.
- If you are running Drupal 5.x then upgrade to Drupal 5.3.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.
- To patch Drupal 4.7.x use SA-2007-030-4.7.7.patch.
- To patch Drupal 5.2 use SA-2007-030-5.2.patch.
Reported by
The Drupal security team.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Drupal version:
SA-2007-029 – Drupal core – User deletion cross site request forgery
- Advisory ID: DRUPAL-SA-2007-029
- Project: Drupal core
- Version: 5.x
- Date: 2007-October-17
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross site request forgery
Description
The Drupal Forms API protects against cross site request forgeries (CSRF), where a malicous site can cause a user to unintentionally submit a form to a site where he is authenticated. The user deletion form does not follow the standard Forms API submission model and is therefore not protected against this type of attack. A CSRF attack may result in the deletion of users.
Versions affected
- Drupal 5.x before version 5.3.
Solution
Install the latest version:
- If you are running Drupal 5.x then upgrade to Drupal 5.3.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.
- To patch Drupal 5.2 use SA-2007-029-5.2.patch.
Reported by
This vulnerability was discovered during an audit of Drupal 5.1 by Stefan Esser and Mayflower GmbH. This audit was commissioned by die Zeit Online GmbH.
We wish to thank die Zeit Online for sharing the results with us.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Drupal version:
SA-2007-026 – Drupal Core – Cross site scripting via uploads
- Advisory ID: DRUPAL-SA-2007-026
- Project: Drupal core
- Version: 4.7.x, 5.x
- Date: 2007-October-17
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
Description
The allowed extension list of the core Upload module contains the extension HTML by default. Such files can be used to execute arbitrary script code in the context of the affected site when a user views the file.
Revoking upload permissions or removing the .html extension from the allowed extension list will stop uploads of malicious files. but will do nothing to protect your site against files that are already present. Carefully inspect the file system path for any HTML files. We recommend you remove any HTML file you did not update yourself. You should look for , CSS includes, Javascript includes, and onerror=”” attributes if you need to review files individually.
Wikipedia has more information about cross site scripting (XSS).
Important note: Configuration change needed
Installing the upgrade or using the patch will not remove the .html extensions from an already configured upload module. Visit Administer » Site Configuration » File uploads (admin/settings/uploads) on Drupal 5.x or administer » settings » upload (admin/settings/upload) on Drupal 4.7.x to remove html from the allowed extensions lists.
The steps above will stop uploads of malicious files, but will do nothing to protect your site against files that have already been uploaded. Make sure to carefully inspect the file system path for any HTML files.
Versions affected
- Drupal 4.7.x before version 4.7.8.
- Drupal 5.x before version 5.3.
Solution
Install the latest version:
- If you are running Drupal 4.7.x then upgrade to Drupal 4.7.8.
- If you are running Drupal 5.x then upgrade to Drupal 5.3.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.
- To patch Drupal 4.7.7 use SA-2007-026-4.7.7.patch.
- To patch Drupal 5.2 use SA-2007-026-5.2.patch.
Reported by
The Drupal security team.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Drupal version:
SA-2007-025 – Drupal core – Arbitrary code execution via installer.
- Advisory ID: DRUPAL-SA-2007-025
- Project: Drupal core
- Version: 5.x
- Date: 2007-October-17
- Security risk: Highly critical
- Exploitable from: Remote
- Vulnerability: Arbitrary code execution
Description
The Drupal installer allows any visitor to provide credentials for a database when the site’s own database is not reachable. This allows attackers to run arbitrary code on the site’s server.
An immediate workaround is the removal of the file install.php in the Drupal root directory.
Versions affected
- Drupal 5.x before Drupal 5.3
Solution
Install the latest version:
- If you are running Drupal 5.x then upgrade to Drupal 5.3.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.
- To patch Drupal 5.2 use SA-2007-025-5.2.patch.
Reported by
Mark Fallon
Wolfgang Ziegler
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Drupal version:
SA-2007-024 – Drupal Core – HTTP response splitting
- Advisory ID: DRUPAL-SA-2007-024
- Project: Drupal core
- Version: 4.7.x, 5.x
- Date: 2007-October-17
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: HTTP response splitting
Description
In some circumstances Drupal allows user-supplied data to become part of response headers. As this user-supplied data is not always properly escaped, this can be exploited by malicious users to execute HTTP response splitting attacks which may lead to a variety of issues, among them cache poisoning, cross-user defacement and injection of arbitrary code.
Versions affected
- Drupal 4.7.x before version 4.7.8.
- Drupal 5.x before version 5.3.
Solution
Install the latest version:
- If you are running Drupal 4.7.x then upgrade to Drupal 4.7.8.
- If you are running Drupal 5.x then upgrade to Drupal 5.3.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.
- To patch Drupal 4.7.7 use SA-2007-024-4.7.7.patch.
- To patch Drupal 5.2 use SA-2007-024-5.2.patch.
Reported by
The Drupal security team.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Drupal version: