lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data. (CVSS:7.5) (Last Update:2009-02-26)
CVE-2008-4298
Memory leak in the http_request_parse function in request.c in lighttpd before 1.4.20 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests with duplicate request headers. (CVSS:5.0) (Last Update:2009-02-26)
CVE-2008-4116
Buffer overflow in Apple QuickTime 7.5.5 and iTunes 8.0 allows remote attackers to cause a denial of service (browser crash) or possibly execute arbitrary code via a long type attribute in a quicktime tag (1) on a web page or embedded in a (2) .mp4 or (3) .mov file, possibly related to the Check_stack_cookie function and an off-by-one error that leads to a heap-based buffer overflow. (CVSS:9.3) (Last Update:2011-01-06)
CVE-2008-3008 (windows-nt, windows_media_encoder)
Stack-based buffer overflow in the WMEncProfileManager ActiveX control in wmex.dll in Microsoft Windows Media Encoder 9 Series allows remote attackers to execute arbitrary code via a long first argument to the GetDetailsString method, aka “Windows Media Encoder Buffer Overrun Vulnerability.”
SA-2008-047 – Drupal core – Multiple vulnerabilities
- Advisory ID: DRUPAL-SA-2008-047
- Project: Drupal core
- Version: 5.x, 6.x
- Date: 2008-August-13
- Security risk: Highly critical
- Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities
Description
Multiple vulnerabilities and weaknesses were discovered in Drupal.
Cross site scripting
A bug in the output filter employed by Drupal makes it possible for malicious users to insert script code into pages (cross site scripting or XSS).
A bug in the private filesystem trusts the MIME type sent by the browser, enabling malicious users with the ability to upload files to execute cross site scripting attacks.
These bugs affects both Drupal 5.x and 6.x.
Arbitrary file uploads via BlogAPI
The BlogAPI module does not validate the extension of uploaded files, enabling users with the “administer content with blog api” permission to upload harmful files.
This bug affects both Drupal 5.x and 6.x.
Cross site request forgeries
Drupal forms contain a token to protect against cross site request forgeries (CSRF). The token may not be validated properly for cached forms and forms containing AHAH elements.
This bug affects Drupal 6.x.
User access rules can be added or deleted upon accessing a properly formatted URL, making such modifications vulnerable to cross site request forgeries (CSRF). This may lead to unintended addition or deletion of an access rule when a sufficiently privileged user visits a page or site created by a malicious person.
This bug affects both Drupal 5.x and 6.x.
Various Upload module vulnerabilities
The Upload module in Drupal 6 contains privilege escalation vulnerabilities for users with the “upload files” permission. This can lead to users being able to edit nodes which they are normally not allowed to, delete any file to which the webserver has sufficient rights, and download attachments of nodes to which they have no access. Harmful files may also be uploaded via cross site request forgeries (CSRF).
These bugs affect Drupal 6.x.
Versions affected
- Drupal 5.x before version 5.10
- Drupal 6.x before version 6.4
Solution
Install the latest version:
- If you are running Drupal 5.x then upgrade to Drupal 5.10.
- If you are running Drupal 6.x then upgrade to Drupal 6.4.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.
- To patch Drupal 5.9 use SA-2008-047-5.9.patch.
- To patch Drupal 6.3 use SA-2008-047-6.3.patch.
Reported by
- The input filter flaw was reported by Bart Jansens*.
- The private filesystem MIME type issue was reported by Mark Burdett.
- The BlogAPI file upload flaw was independently reported by Gábor Hojtsy* and Mark Burdett.
- The CSRF of cacheable forms and CSRF of uploads was reported by Heine Deelstra*.
- The CSRF of user access rules was reported by Barry Jaspan*.
- The Upload privilege escalation was reported by Damien Tournoud*.
- The arbitrary file deletion issue was reported by John Morahan*.
- The attachment view access bypass issue was reported by Caroline Schnapp.
* Members of the Drupal security team.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Drupal version:
SA-2008-046 – Drupal core – Session fixation
- Advisory ID: DRUPAL-SA-2008-046
- Project: Drupal core
- Version: 5.x
- Date: 2008-July-23
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Session fixation
Description
When contributed modules such as Workflow NG terminate the current request during a login event, user module is not able to regenerate the user’s session. This may lead to a session fixation attack, when a malicious user is able to control another users’ initial session ID. As the session is not regenerated, the malicious user may use the ‘fixed’ session ID after the victim authenticates and will have the same access.
The advisory SA-2008-044 claims that this session fixation vulnerability was fixed in Drupal 5.8 and 6.3. Unfortunately, Drupal 5.8 still contains this vulnerability.
Versions affected
- Drupal 5.x before version 5.9
Solution
Install the latest version:
- If you are running Drupal 5.x then upgrade to Drupal 5.9.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.
- To patch Drupal 5.8 use SA-2008-046-5.8.patch.
Reported by
- The session fixation issue was originally reported by Erich C. Beyrent. Its continued existance in 5.8 was reported by dmnd.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Drupal version:
Critical Patch Update – July 2008
New Feature – KUDOS
Hi everyone,
There’s a new feature we’ve just implemented for the “Norton Forums BETA” – Kudos!
Kudos are a way for you to give approval to content that you think is helpful, well-formed, insightful, or otherwise generally valuable in the community. When you give kudos to a message, you are not only offering a thumbs up for good content, but also a pat on the back to its author. Kudos also allow Moderators and Administrators to identify and organize the content that you are likely to find most relevant.
Here’s how you do it: Simply click the “Kudos!” button to give a kudo to the message and its author. The author of a message cannot kudo his/her own messages; Also, you can only kudo a message once.
If you have any questions or concerns about this new feature, please let us know on the Forum Feedback Board. Thanks!
CVE-2008-2304
Buffer overflow in Apple Core Image Fun House 2.0 and earlier in CoreImage Examples in Xcode tools before 3.1 allows user-assisted attackers to execute arbitrary code or cause a denial of service (application crash) via a .funhouse file with a string XML element that contains many characters. (CVSS:6.8) (Last Update:2009-01-29)
SA-2008-044 – Drupal core – Multiple vulnerabilities
- Advisory ID: DRUPAL-SA-2008-044
- Project: Drupal core
- Version: 5x, 6.x
- Date: 2008-July-9
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities
Description
Multiple vulnerabities and weaknesses were discovered in Drupal. Neither of these are readily exploitable.
Cross site scripting
Free tagging taxonomy terms can be used to insert arbitrary script and HTML code (cross site scripting or XSS) on node preview pages. A successful exploit requires that the victim selects a term containing script code and chooses to preview the node. This issue affects Drupal 6.x only.
Some values from OpenID providers are output without being properly escaped, allowing malicious providers to insert arbitrary script and HTML code (XSS) into user pages. This issue affects Drupal 6.x only.
filter_xss_admin() has been hardened to prevent use of the object HTML tag in administrator input.
Cross site request forgeries
Translated strings (5.x, 6.x) and OpenID identities (6.x) are immediately deleted upon accessing a properly formatted URL, making such deletion vulnerable to cross site request forgeries (CSRF). This may lead to unintended deletion of translated strings or OpenID identities when a sufficiently privileged user visits a page or site created by a malicious person.
Session fixation
When contributed modules such as Workflow NG terminate the current request during a login event, user module is not able to regenerate the user’s session. This may lead to a session fixation attack, when a malicious user is able to control another users’ initial session ID. As the session is not regenerated, the malicious user may use the ‘fixed’ session ID after the victim authenticates and will have the same access. This issue affects both Drupal 5 and Drupal 6.
SQL injection
Schema API uses an inappropriate placeholder for ‘numeric’ fields enabling SQL injection when user-supplied data is used for such fields.This issue affects Drupal 6 only.
Versions affected
- Drupal 5.x before version 5.8
- Drupal 6.x before version 6.3
Solution
Install the latest version:
- If you are running Drupal 5.x then upgrade to Drupal 5.8.
- If you are running Drupal 6.x then upgrade to Drupal 6.3.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.
- To patch Drupal 5.7 use SA-2008-044-5.7.patch.
- To patch Drupal 6.2 use SA-2008-044-6.2.patch.
Note for site administrators
Drupal 5.8 and 6.3 no longer support the use of the object HTML tag in many text supplied by administrators. Such texts include the mission statement and taxonomy term descriptions.
Notes for developers
Drupal 6.3 has the new db_query placeholder %n for numeric fields (DECIMAL, NUMERIC). Custom queries should be updated to reflect this change.
Reported by
- The session fixation issue was reported by Erich C. Beyrent.
- The Taxonomy term XSS issue was reported by John Morahan.
- The OpenID CSRF issue was reported by Peter Wolanin (Drupal security team).
- The OpenID XSS issue was reported by Neil Drumm (Drupal security team).
- The locale CSRF issue and the numeric SQL injection issue were reported by Heine Deelstra (Drupal security team).
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Drupal version: