CVE-2008-1927

Double free vulnerability in Perl 5.8.8 allows context-dependent attackers to cause a denial of service (memory corruption and crash) via a crafted regular expression containing UTF8 characters. NOTE: this issue might only be present on certain operating systems. (CVSS:5.0) (Last Update:2010-08-21)

SA-2008-026 – Drupal core – Access bypass

  • Advisory ID: DRUPAL-SA-2008-026
  • Project: Drupal core
  • Version: 6.x
  • Date: 2008-April-09
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass

Description

The menu system routes page requests to appropriate handlers. It also determines whether a user has access to pages based on several criteria, such as permissions assigned to a role. Drupal 6 features an entirely revised menu system, including changes to the way access is dealt with, which if not properly understood by developers can lead to vulnerabilities. This security release provides a more secure access behaviour by default, and fixes incorrectly set menu items in Drupal core.

Access to some pages was not appropriately controlled:

  • Any user can edit profile pages of other users.
  • Users who can view administration pages are able to edit content types.
  • The tracker and blog pages expose information to users without the “access content” permission.

Versions affected

  • Drupal 6.x before version 6.2.

Solution

Install the latest version:

  • If you are running Drupal 6.x then upgrade to Drupal 6.2.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patch fixes incorrectly set menu items in Drupal core, but does not contain the menu API change which would provide secure defaults. This patch is a temporary solution to be used if modules are required which are still incompatible with the new API changes.

If you used SA-2008-026-6.1.patch or SA-2008-026-6.1b.patch: the patch was incorrect. Please reverse the patch, such as patch -R, and apply the current patch.

Important notes

It is essential to follow this process when updating:

  • First make sure that you are logged in as user number 1 or that your site’s settings.php has $update_free_access = TRUE; so that anyone can access the update.php script while you update the site. We suggest you log in as user 1 because you might have difficulties in gaining write access to your settings file.
  • Turn your site into offline mode.
  • Then, and only then replace your Drupal source code files with the new ones from Drupal 6.2.
  • Run update.php.
  • Turn your site back to online mode.
  • If you edited your site’s settings.php, make sure to set $update_free_access = FALSE;

If you do not follow the above procedure, and just replace the source files, any attempt to access the site will be greeted with the message: “Fatal error: Call to undefined function user_uid_optional_to_arg() in includes/menu.inc on line 594” and you will have no way to set the site to offline mode on the web interface until you get through update.php.

Contributed modules may require an update to work properly with Drupal 6.2. Failing to update modules will lead to some pages of the affected modules not being accessible.

Note for Module developers

Drupal 6.2 contains two API changes.

  • Menu access callbacks are no longer inherited from parent items.
  • %user_current has been renamed to %user_uid_optional.

Additional information can be found in Updating your 6.x module to work with 6.2.

Reported by

  • The tracker and profile access issue were respectively reported by Peter Wolanin and Greg Knaddison of the Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: 

Forums Usage Guidelines

Forums Usage Guidelines

Symantec provides
these Norton Forums as a service to
help customers exchange ideas, tips, information, and techniques
related to
our products. These Forums are here for the enjoyment and benefit on
Symantec customers, and are accessible to all who register and are 13
years of age or older. These guidelines and
rules are presented here so that you know what is expected of you and
what you can expect from other participants when using the Forums. By
participating, you agree to follow these Usage Guidelines.

– Stay on topic –

 

For
everyone’s benefit please stay on topic. These Forums are provided for
the specific purpose of making it possible for Symantec customers to
exchange information and help each other in using Symantec products.
Please refrain from discussing personal matters, abusing
any company or product, or, in general, from posting in a manner
unrelated to the direct resolution of issues expected in the support of
Symantec beta products.

 

 

– Keep it courteous –

Everyone
wants to have a positive experience while on the Forums – please make
sure that you are not detracting from any other participants
experience. In particular, please refrain from posting anything
unlawful, libelous, defamatory, obscene, pornographic, indecent, lewd,
harassing, threatening, harmful, invasive of privacy or publicity
rights, abusive, inflammatory or otherwise objectionable or injurious
to third parties. Your opinions are always welcome, but personal
attacks and harassment ( “flaming” ) in either the Forums or through
private messaging are not acceptable.

– Keep it spam-free –

The
Forums are provided as a benefit to Symantec customers and
are not intended for the promotion of third party services, products,
websites, or organizations. Please refrain from posting content that
would constitute advertising, junk mail, spam, chain letters, or any
other form of unauthorized solicitation.

– Keep it legal –

It
is unacceptable to post any material (i) that would infringe on any
patent, trademark, trade secret, copyright, or other proprietary rights
of any party, (ii) that contains software viruses or any other computer
code or files that are designed to disrupt, damage, or limit the
functioning of any software or hardware, or (iii) that is deemed to be
illegal by any local, state, federal, or international law.

– Be careful –

Most
people are happy to help out on these Forums, but remember that their
advice is theirs only and that you are responsible for deciding whether
or not to follow it. If the advice given by a participant sounds wrong
to you, do not try it. In particular, if any participant asks you for
personal information, such as an account number, address, password or
credit card number, do not provide it.

– Symantec retains the right to remove content and limit users’ access –

Symantec
does not generally edit or monitor content posted by participants to
the Forums. However, Symantec retains the right, at its sole
discretion, to limit participants access to the Forums and to remove
material that, in the sole judgment of Symantec, does not comply with the
present Usage Guidelines, or that is otherwise inappropriate for these
Forums, harmful, objectionable, or inaccurate. Symantec is not
responsible for any failure or delay in removing such material.

Symantec
Forum moderators may take any action they deem necessary in their own
judgment to support the Usage Guidelines. Such actions may include
editing or deleting material and banning individual participants.

– Disclaimer of Warranties and Limitation of Liability –

Members
like you are providing most of the material in the Forums. Such
third-party content is the sole responsibility of the person
originating the material. Symantec does not control and is not
responsible for this third-party material.

Symantec does not
warrant or guarantee the accuracy, reliability, completeness,
usefulness, non-infringement on intellectual property rights, or
quality of any material in the Forums, regardless of who originates
that material. You expressly understand and agree that you bear all
risks associated with using or relying on the material. Symantec will
not be liable or responsible in any way for any content in the Forums,
including, but not limited to, any errors or omissions in the material,
or for any losses or damage of any kind incurred as a result of the use
of or reliance on any material. This disclaimer and limitation on
liability is in addition to the disclaimers and limitations contained
in the Legal Notices posted on Symantecs web site that apply to all use
of Symantecs web site, which can be found at http://www.symantec.com/about/profile/policies/legal.jsp.
In case of discrepancy between this document and Symantec Legal
Notices, or with the Symantec Privacy Policy, the Legal Notices and the
Privacy Policy will prevail.