Category Archives: Drupal

Drupal Security Advisories

Drupal

SA-CORE-2009-007 – Drupal core – Multiple vulnerabilities

Leave a comment
  • Advisory ID: DRUPAL-SA-CORE-2009-007
  • Project: Drupal core
  • Version: 5.x, 6.x
  • Date: 2009-July-1
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities

Description

Multiple vulnerabilities and weaknesses were discovered in Drupal.

Cross-site scripting

The Forum module does not correctly handle certain arguments obtained from the URL. By enticing a suitably privileged user to visit a specially crafted URL, a malicious user is able to insert arbitrary HTML and script code into forum pages. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting (XSS).

This issue affects Drupal 6.x only.

Input format access bypass

User signatures have no separate input format, they use the format of the comment with which they are displayed. A user will no longer be able to edit a comment when an administrator changes the comment’s input format to a format that is not accessible to the user. However they will still be able to modify their signature, which will then be processed by the new input format.

If the new format is very permissive, via their signature, the user may be able to insert arbitrary HTML and script code into pages or, when the PHP filter is enabled for the new format, execute PHP code.

This issue affects Drupal 6.x only.

Password leaked in URL

When an anonymous user fails to login due to mistyping his username or password, and the page he is on contains a sortable table, the (incorrect) username and password are included in links on the table. If the user visits these links the password may then be leaked to external sites via the HTTP referer.

In addition, if the anonymous user is enticed to visit the site via a specially crafted URL while the Drupal page cache is enabled, a malicious user might be able to retrieve the (incorrect) username and password from the page cache.

This issue affects both Drupal 5.x and Drupal 6.x

Versions affected

  • Drupal 5.x before version 5.19.
  • Drupal 6.x before version 6.13.

Solution

Install the latest version:

  • If you are running Drupal 6.x then upgrade to Drupal 6.13.
  • If you are running Drupal 5.x then upgrade to Drupal 5.19.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. Theses patches fix the security vulnerability, but do not contain other fixes which were released in Drupal 5.19 or Drupal 6.13.

Reported by

The forum XSS issue was independently reported by Mark Piper of Catalyst IT Ltd, Sven Herrmann and Brandon Knight.
The user signature issue was reported by Gerhard Killesreiter of the Drupal security team.
The password in URL issue was reported by Sumit Datta.

Fixed by

The forum XSS issue was fixed by Heine Deelstra, Peter Wolanin and Charlie Gordon.
The user signature issue was fixed by David Rothstein, Charlie Gordon, Heine Deelstra and Gábor Hojtsy.
The password in URL issue was fixed by Damien Tournoud and Bart Jansens.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: 
Drupal 5.x
Drupal 6.x
Drupal

SA-CORE-2009-006 – Drupal core – Cross site scripting

Leave a comment
  • Advisory ID: DRUPAL-SA-CORE-2009-006
  • Project: Drupal core
  • Version: 5.x, 6.x
  • Date: 2009-May-13
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting

Description

When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.

Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the <meta http-equiv=”Content-Type” /> tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This enables attackers to execute cross site scripting attacks with UTF-7. SA-CORE-2009-005 – Drupal core – Cross site scripting contained an incomplete fix for the issue. HTML exports of books are still vulnerable, which means that anyone with edit permissions for pages in outlines is able to insert arbitrary HTML and script code in these exports.

Additionally, the taxonomy module allows users with the ‘administer taxonomy’ permission to inject arbitrary HTML and script code in the help text of any vocabulary.

Wikipedia has more information about cross site scripting (XSS).

Versions affected

  • Drupal 5.x before version 5.18.
  • Drupal 6.x before version 6.12.

Solution

Install the latest version:

  • If you are running Drupal 6.x then upgrade to Drupal 6.12.
  • If you are running Drupal 5.x then upgrade to Drupal 5.18.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. Theses patches fix the security vulnerability, but does not contain other fixes which were released in Drupal 5.18 or Drupal 6.12.

Reported by

The UTF-7 XSS issue in book-export-html.tpl.php was reported by Markus Petrux.

The XSS issue in taxonomy module was publicly disclosed.

Fixed by

Both issues were fixed by Heine Deelstra, Peter Wolanin and Derek Wright of the Drupal Security Team.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: 
Drupal 5.x
Drupal 6.x
Drupal

SA-CORE-2009-005 – Drupal core – Cross site scripting

Leave a comment
  • Advisory ID: DRUPAL-SA-CORE-2009-005
  • Project: Drupal core
  • Version: 5.x, 6.x
  • Date: 2009-April-29
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting

Description

When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.

Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the <meta http-equiv=”Content-Type” /> tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This behaviour enables malicious users to insert and execute Javascript in the context of the website if site visitors are allowed to post content.

Wikipedia has more information about cross site scripting (XSS).

In addition, Drupal core also has a very limited information disclosure vulnerability under very specific conditions. If a user is tricked into visiting the site via a specially crafted URL and then submits a form (such as the search box) from that page, the information in their form submission may be directed to a third-party site determined by the URL and thus disclosed to the third party. The third party site may then execute a CSRF attack against the submitted form.

This vulnerability is limited to forms present on the frontpage. The user login form is not vulnerable.

Versions affected

  • Drupal 5.x before version 5.17.
  • Drupal 6.x before version 6.11.

Solution

Install the latest version:

  • If you are running Drupal 6.x then upgrade to Drupal 6.11.
  • If you are running Drupal 5.x then upgrade to Drupal 5.17.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. Theses patches fix the security vulnerability, but does not contain other fixes which were released in Drupal 5.17 or Drupal 6.11.

As an alternate solution if you are unable to upgrade immediately, you can alter your page template following the pattern in the core changes. Open your theme’s main page.tpl.php file as well as any other page templates like page-node.tpl.php or page-front.tpl.php and move the line that is printing $head (<?php print $head ?>) above line with the <title> tag, so that it is the first item after the <head>.

Reported by

The UTF-7 XSS issue was reported by pod.Edge.

The information disclosure vulnerability was reported by Moritz Naumann.

Fixed by

The Drupal security team

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: 
Drupal 5.x
Drupal 6.x
Drupal

New pages and RSS feeds for security announcements

Leave a comment

Separate Security Announcements by Type

To make the impact of different security advisories and announcements easier to see, they are now separated by type.

Drupal core security advisories: http://drupal.org/security
RSS feed for Drupal core: http://drupal.org/security/rss.xml

Contributed project security advisories: http://drupal.org/security/contrib
RSS feed for contributed projects: http://drupal.org/security/contrib/rss.xml

Public service announcements: http://drupal.org/security/psa
RSS feed for announcements: http://drupal.org/security/psa/rss.xml

We encourage those using RSS readers to track security-related developments to subscribe to all three of these feeds.

All posts to each of these three forums will still be sent to the one security announcements e-mail list. To subscribe to that e-mail list, once logged in, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.

All future public service announcements will only be posted to the Public service announcements page and feed.

Background on the Changes

At Drupalcon in Washington, D.C. earlier this month, members of the Security team held a “Birds of a Feather” session to discusses various topics including improvements to our process of communicating with the public.

One outcome of this meeting was that we decided to more clearly differentiate among security advisories for Drupal core (which affect all users) as opposed to security advisories for contributed projects (which are often used by only tens of sites). In addition, the security team has on occasion issued announcements (such as this one), which were previously mixed in with actual security advisories.

Since the Drupal 6.x upgrade of http://drupal.org, newsletter postings have been managed using forums. The security team has thus split security-related postings among three forums under http://drupal.org/forum/1188.

All past and new advisories and announcements and their feeds can be viewed (via tabs) on http://drupal.org/security.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Front page news: 
Planet Drupal
Drupal

SA-CORE-2009-004 – Local file inclusion on Windows

Leave a comment
  • Advisory ID: DRUPAL-SA-CORE-2009-004
  • Project: Drupal core
  • Versions: 5.x
  • Date: 2009-February-25
  • Security risk: Highly Critical
  • Exploitable from: Remote
  • Vulnerability: Local file inclusion on Windows
  • Reference: SA-CORE-2009-003 (6.x)

Description

This vulnerability exists on Windows, regardless of the type of webserver (Apache, IIS) used.

The Drupal theme system takes URL arguments into account when selecting a template file to use for page rendering. While doing so, it doesn’t take into account how Windows arrives at a canonicalized path. This enables malicious users to include files, readable by the webserver and located on the same volume as Drupal, and to execute PHP contained within those files. For example: If a site has uploads enabled, an attacker may upload a file containing PHP code and cause it to be included on a subsequent request by manipulating the URL used to access the site.

Important note: An attacker may also be able to inject PHP code into webserver logs and subsequently include the log file, leading to code execution even if no upload functionality is enabled on the site.

Versions Affected

  • Drupal 5.x before version 5.16

Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.16.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patch fixes the security vulnerability, but does not contain other fixes which were released in Drupal 5.16.

Reported by

Bogdan Calin (www.acunetix.com)

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: 
Drupal 5.x
Drupal

SA-CORE-2009-003 – Local file inclusion on Windows

Leave a comment
  • Advisory ID: DRUPAL-SA-CORE-2009-003
  • Project: Drupal core
  • Versions: 6.x
  • Date: 2009-February-25
  • Security risk: Highly Critical
  • Exploitable from: Remote
  • Vulnerability: Local file inclusion on Windows

Description

This vulnerability exists on Windows, regardless of the type of webserver (Apache, IIS) used.

The Drupal theme system takes URL arguments into account when selecting a template file to use for page rendering. While doing so, it doesn’t take into account how Windows arrives at a canonicalized path. This enables malicious users to include files, readable by the webserver and located on the same volume as Drupal, and to execute PHP contained within those files. For example: If a site has uploads enabled, an attacker may upload a file containing PHP code and cause it to be included on a subsequent request by manipulating the URL used to access the site.

Important note: An attacker may also be able to inject PHP code into webserver logs and subsequently include the log file, leading to code execution even if no upload functionality is enabled on the site.

Versions Affected

  • Drupal 6.x before version 6.10

Solution

Install the latest version:

  • If you are running Drupal 6.x then upgrade to Drupal 6.10.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patch fixes the security vulnerability, but does not contain other fixes which were released in Drupal 6.10.

Reported by

Bogdan Calin (www.acunetix.com)

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: 
Drupal 6.x
Drupal

SA-CORE-2009-001 Drupal core – Multiple vulnerabilities

Leave a comment
  • Advisory ID: DRUPAL-SA-CORE-2009-001
  • Project: Drupal core
  • Versions: 5.x and 6.x
  • Date: 2009-January-14
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities

Multiple vulnerabilities and weaknesses were discovered in Drupal.

Access Bypass

The Content Translation module for Drupal 6.x enables users to make a translation of an existing item of content (a node). In that process the existing node’s content is copied into the new node’s submission form.

The module contains a flaw that allows a user with the ‘translate content’ permission to potentially bypass normal viewing access restrictions, for example allowing the user to see the content of unpublished nodes even if they do not have permission to view unpublished nodes.

This issue only affects Drupal 6.x.

Validation Bypass

When user profile pictures are enabled, the default user profile validation function will be bypassed, possibly allowing invalid user names or e-mail addresses to be submitted.

This issue only affects Drupal 6.x.

Hardening against SQL injection

A parameter passed into the node access API was not properly escaped or validated before being used in SQL queries. While there is no direct risk of SQL injection from Drupal core, it’s possible that this could have presented a risk in combination with a contributed module. Additional validation has been added to eliminate this risk.

This issue affects both Drupal 5.x and Drupal 6.x.

Versions Affected

  • Drupal 5.x before version 5.15.
  • Drupal 6.x before version 6.9.

Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.15.
  • If you are running Drupal 6.x then upgrade to Drupal 6.9.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

Reported by

The access bypass issue for translations was reported by Wolfgang Ziegler.

The validation bypass was reported by v1nce, supersmashbrothers, Tejus Pratap, and Limiting Factor.

The need for SQL hardening was reported by Derek Wright of the Drupal Security Team.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: 
Drupal 5.x
Drupal 6.x
Drupal

SA-2008-073 – Drupal core – Multiple vulnerabilities

Leave a comment
  • Advisory ID: DRUPAL-SA-2008-073
  • Project: Drupal core
  • Versions: 5.x and 6.x
  • Date: 2008-December-10
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities

Description

Multiple vulnerabilities and weaknesses were discovered in Drupal.

Cross site request forgery

The update system is vulnerable to Cross site request forgeries. Malicious users may cause the superuser (user 1) to execute old updates that may damage the database.

Cross site scripting

When an input format is deleted, not all existing content on a site is updated to reflect this deletion. Such content is then displayed unfiltered. This may lead to cross site scripting attacks when harmful tags are no longer stripped from ‘malicious’ content that was posted earlier.

Versions Affected

  • Drupal 5.x before version 5.13
  • Drupal 6.x before version 6.7

Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.13.
  • If you are running Drupal 6.x then upgrade to Drupal 6.7.

Note: the robots.txt and .htaccess files have changed and need to be replaced. The settings.php file has not been changed and can be left as it was if upgrading from the current version of Drupal.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

Reported by

Both issues were reported by David Rothstein (David_Rothstein).

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: 
Drupal 5.x
Drupal 6.x
Drupal

SA-2008-067 – Drupal core – Multiple vulnerabilities

Leave a comment
  • Advisory ID: DRUPAL-SA-2008-067
  • Project: Drupal core
  • Versions: 5.x and 6.x
  • Date: 2008-October-22
  • Security risk: Less Critical
  • Exploitable from: Local/Remote
  • Vulnerability: Multiple vulnerabilities

Description

Multiple vulnerabilities and weaknesses were discovered in Drupal.

File inclusion

On a server configured for IP-based virtual hosts, Drupal may be caused to include and execute specifically named files outside of its root directory.

This bug affects both Drupal 5 and Drupal 6.

Cross site scripting

The title of book pages is not always properly escaped, enabling users with the “create book content” permission or the permission to edit any node in the book hierarchy to insert arbitrary HTML and script code into pages. Such a Cross site scripting attack may lead to the attacker gaining administrator access.

This bug affects Drupal 6.

Versions Affected

  • Drupal 5.x before version 5.12
  • Drupal 6.x before version 6.6

Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.12.
  • If you are running Drupal 6.x then upgrade to Drupal 6.6.

Note: the settings.php, robots.txt and .htaccess files have not changed and can be left as they are if upgrading from the current version of Drupal.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

Reported by

  • The file inclusion vulnerability was reported by Anthony Ferrara
  • The cross site scripting issue was reported by Maarten van Grootel

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: 
Drupal 5.x
Drupal 6.x
Drupal

SA-2008-060 – Drupal core – Multiple vulnerabilities

Leave a comment
  • Advisory ID: DRUPAL-SA-2008-060
  • Project: Drupal core
  • Versions: 5.x and 6.x
  • Date: 2008-October-8
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities

Description

Multiple vulnerabilities and weaknesses were discovered in Drupal.

File upload access bypass

A logic error in the core upload module validation allowed unprivileged users to attach files to content. This bug affects Drupal 6.x only.

Users can view files attached to content which they do not otherwise have access to. This bug affects Drupal 5.x only.

If the core upload module is not enabled, your site will not be affected.

Access rules bypass

A deficiency in the user module allowed users who had been blocked by access rules to continue logging into the site under certain conditions.

If you do not use the ‘access rules’ functionality in core, your site will not be affected.

This bug affects both Drupal 5.x and Drupal 6.x.

BlogAPI access bypass

The BlogAPI module does not implement correct validation for certain content fields, allowing for values to be set for fields which would otherwise be inaccessible on an internal Drupal form. We have hardened these checks in BlogAPI module for this release, but the security team would like to re-iterate that the ‘Administer content with BlogAPI’ permission should only be given to trusted users.

If the core BlogAPI module is not enabled, your site will not be affected.

This bug affects both Drupal 5.x and Drupal 6.x.

Node validation bypass

A weakness in the node module API allowed for node validation to be bypassed in certain circumstances for contributed modules implementing the API. Additional checks have been added to ensure that validation is performed in all cases. This vulnerability only affects sites using one of a very small number of contributed modules, all of which will continue to work correctly with the improved API. None of them were found vulnerable, so our correction is a preventative measure.

This bug affects Drupal 5.x only.

Versions affected

  • Drupal 5.x before version 5.11
  • Drupal 6.x before version 6.5

Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.11.
  • If you are running Drupal 6.x then upgrade to Drupal 6.5.

Note: the settings.php, robots.txt and .htaccess files have not changed and can be left as they are if upgrading from the current version of Drupal.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

Reported by

Names marked with asterisk are members of the Drupal security team.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: 
Drupal 5.x
Drupal 6.x