- Advisory ID: DRUPAL-SA-2008-073
- Project: Drupal core
- Versions: 5.x and 6.x
- Date: 2008-December-10
- Security risk: Moderately Critical
- Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities
Description
Multiple vulnerabilities and weaknesses were discovered in Drupal.
Cross site request forgery
The update system is vulnerable to Cross site request forgeries. Malicious users may cause the superuser (user 1) to execute old updates that may damage the database.
Cross site scripting
When an input format is deleted, not all existing content on a site is updated to reflect this deletion. Such content is then displayed unfiltered. This may lead to cross site scripting attacks when harmful tags are no longer stripped from ‘malicious’ content that was posted earlier.
Versions Affected
- Drupal 5.x before version 5.13
- Drupal 6.x before version 6.7
Solution
Install the latest version:
- If you are running Drupal 5.x then upgrade to Drupal 5.13.
- If you are running Drupal 6.x then upgrade to Drupal 6.7.
Note: the robots.txt and .htaccess files have changed and need to be replaced. The settings.php file has not been changed and can be left as it was if upgrading from the current version of Drupal.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.
- To patch Drupal 5.12 use SA-2008-073-5.12.patch.
- To patch Drupal 6.6 use SA-2008-073-6.6.patch.
Reported by
Both issues were reported by David Rothstein (David_Rothstein).
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.