- Advisory ID: DRUPAL-SA-2008-060
- Project: Drupal core
- Versions: 5.x and 6.x
- Date: 2008-October-8
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities
Description
Multiple vulnerabilities and weaknesses were discovered in Drupal.
File upload access bypass
A logic error in the core upload module validation allowed unprivileged users to attach files to content. This bug affects Drupal 6.x only.
Users can view files attached to content which they do not otherwise have access to. This bug affects Drupal 5.x only.
If the core upload module is not enabled, your site will not be affected.
Access rules bypass
A deficiency in the user module allowed users who had been blocked by access rules to continue logging into the site under certain conditions.
If you do not use the ‘access rules’ functionality in core, your site will not be affected.
This bug affects both Drupal 5.x and Drupal 6.x.
BlogAPI access bypass
The BlogAPI module does not implement correct validation for certain content fields, allowing for values to be set for fields which would otherwise be inaccessible on an internal Drupal form. We have hardened these checks in BlogAPI module for this release, but the security team would like to re-iterate that the ‘Administer content with BlogAPI’ permission should only be given to trusted users.
If the core BlogAPI module is not enabled, your site will not be affected.
This bug affects both Drupal 5.x and Drupal 6.x.
Node validation bypass
A weakness in the node module API allowed for node validation to be bypassed in certain circumstances for contributed modules implementing the API. Additional checks have been added to ensure that validation is performed in all cases. This vulnerability only affects sites using one of a very small number of contributed modules, all of which will continue to work correctly with the improved API. None of them were found vulnerable, so our correction is a preventative measure.
This bug affects Drupal 5.x only.
Versions affected
- Drupal 5.x before version 5.11
- Drupal 6.x before version 6.5
Solution
Install the latest version:
- If you are running Drupal 5.x then upgrade to Drupal 5.11.
- If you are running Drupal 6.x then upgrade to Drupal 6.5.
Note: the settings.php, robots.txt and .htaccess files have not changed and can be left as they are if upgrading from the current version of Drupal.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.
- To patch Drupal 5.10 use SA-2008-060-5.10.patch.
- To patch Drupal 6.4 use SA-2008-047-6.4.patch.
Reported by
- The upload module flaw was reported by Damien Tournoud*
- The access rules bypass was reported by jry2000 and Stéphane Corlosquet*
- The BlogAPI vulnerability was reported by Caleb Delnay, Gábor Hojtsy* and Heine Deelstra*
- The node modules vulnerability was reported by Derek Wright*
Names marked with asterisk are members of the Drupal security team.
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.