SA-2008-067 – Drupal core – Multiple vulnerabilities

  • Advisory ID: DRUPAL-SA-2008-067
  • Project: Drupal core
  • Versions: 5.x and 6.x
  • Date: 2008-October-22
  • Security risk: Less Critical
  • Exploitable from: Local/Remote
  • Vulnerability: Multiple vulnerabilities

Description

Multiple vulnerabilities and weaknesses were discovered in Drupal.

File inclusion

On a server configured for IP-based virtual hosts, Drupal may be caused to include and execute specifically named files outside of its root directory.

This bug affects both Drupal 5 and Drupal 6.

Cross site scripting

The title of book pages is not always properly escaped, enabling users with the “create book content” permission or the permission to edit any node in the book hierarchy to insert arbitrary HTML and script code into pages. Such a Cross site scripting attack may lead to the attacker gaining administrator access.

This bug affects Drupal 6.

Versions Affected

  • Drupal 5.x before version 5.12
  • Drupal 6.x before version 6.6

Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.12.
  • If you are running Drupal 6.x then upgrade to Drupal 6.6.

Note: the settings.php, robots.txt and .htaccess files have not changed and can be left as they are if upgrading from the current version of Drupal.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

Reported by

  • The file inclusion vulnerability was reported by Anthony Ferrara
  • The cross site scripting issue was reported by Maarten van Grootel

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: 

SA-2008-060 – Drupal core – Multiple vulnerabilities

  • Advisory ID: DRUPAL-SA-2008-060
  • Project: Drupal core
  • Versions: 5.x and 6.x
  • Date: 2008-October-8
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities

Description

Multiple vulnerabilities and weaknesses were discovered in Drupal.

File upload access bypass

A logic error in the core upload module validation allowed unprivileged users to attach files to content. This bug affects Drupal 6.x only.

Users can view files attached to content which they do not otherwise have access to. This bug affects Drupal 5.x only.

If the core upload module is not enabled, your site will not be affected.

Access rules bypass

A deficiency in the user module allowed users who had been blocked by access rules to continue logging into the site under certain conditions.

If you do not use the ‘access rules’ functionality in core, your site will not be affected.

This bug affects both Drupal 5.x and Drupal 6.x.

BlogAPI access bypass

The BlogAPI module does not implement correct validation for certain content fields, allowing for values to be set for fields which would otherwise be inaccessible on an internal Drupal form. We have hardened these checks in BlogAPI module for this release, but the security team would like to re-iterate that the ‘Administer content with BlogAPI’ permission should only be given to trusted users.

If the core BlogAPI module is not enabled, your site will not be affected.

This bug affects both Drupal 5.x and Drupal 6.x.

Node validation bypass

A weakness in the node module API allowed for node validation to be bypassed in certain circumstances for contributed modules implementing the API. Additional checks have been added to ensure that validation is performed in all cases. This vulnerability only affects sites using one of a very small number of contributed modules, all of which will continue to work correctly with the improved API. None of them were found vulnerable, so our correction is a preventative measure.

This bug affects Drupal 5.x only.

Versions affected

  • Drupal 5.x before version 5.11
  • Drupal 6.x before version 6.5

Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.11.
  • If you are running Drupal 6.x then upgrade to Drupal 6.5.

Note: the settings.php, robots.txt and .htaccess files have not changed and can be left as they are if upgrading from the current version of Drupal.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

Reported by

Names marked with asterisk are members of the Drupal security team.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: 

CVE-2008-4360

mod_userdir in lighttpd before 1.4.20, when a case-insensitive operating system or filesystem is used, performs case-sensitive comparisons on filename components in configuration options, which might allow remote attackers to bypass intended access restrictions, as demonstrated by a request for a .PHP file when there is a configuration rule for .php files. (CVSS:7.8) (Last Update:2009-02-26)

CVE-2008-4359

lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data. (CVSS:7.5) (Last Update:2009-02-26)