The rmtree function in lib/File/Path.pm in Perl 5.10 does not properly check permissions before performing a chmod, which allows local users to modify the permissions of arbitrary files via a symlink attack, a different vulnerability than CVE-2005-0448 and CVE-2004-0452. (CVSS:4.6) (Last Update:2008-11-25)
CVE-2008-1444 (directx)
Stack-based buffer overflow in Microsoft DirectX 7.0 and 8.1 on Windows 2000 SP4 allows remote attackers to execute arbitrary code via a Synchronized Accessible Media Interchange (SAMI) file with crafted parameters for a Class Name variable, aka the “SAMI Format Parsing Vulnerability.”
CVE-2008-1445 (windows-nt, windows_2003_server, windows_xp)
Active Directory on Microsoft Windows 2000 Server SP4, XP Professional SP2 and SP3, Server 2003 SP1 and SP2, and Server 2008 allows remote authenticated users to cause a denial of service (system hang or reboot) via a crafted LDAP request.
CVE-2008-1440 (windows, windows_xp)
Microsoft Windows XP SP2 and SP3, and Server 2003 SP1 and SP2, does not properly validate the option length field in Pragmatic General Multicast (PGM) packets, which allows remote attackers to cause a denial of service (infinite loop and system hang) via a crafted PGM packet, aka the “PGM Invalid Length Vulnerability.”
CVE-2007-5803
Multiple cross-site scripting (XSS) vulnerabilities in CGI programs in Nagios before 2.12 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different issue than CVE-2007-5624 and CVE-2008-1360. (CVSS:4.3) (Last Update:2008-09-05)
CVE-2008-1927
Double free vulnerability in Perl 5.8.8 allows context-dependent attackers to cause a denial of service (memory corruption and crash) via a crafted regular expression containing UTF8 characters. NOTE: this issue might only be present on certain operating systems. (CVSS:5.0) (Last Update:2010-08-21)
CVE-2007-6255 (ie)
Buffer overflow in the Microsoft HeartbeatCtl ActiveX control in HRTBEAT.OCX allows remote attackers to execute arbitrary code via the Host argument to an unspecified method.
Critical Patch Update – April 2008
SA-2008-026 – Drupal core – Access bypass
- Advisory ID: DRUPAL-SA-2008-026
- Project: Drupal core
- Version: 6.x
- Date: 2008-April-09
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Description
The menu system routes page requests to appropriate handlers. It also determines whether a user has access to pages based on several criteria, such as permissions assigned to a role. Drupal 6 features an entirely revised menu system, including changes to the way access is dealt with, which if not properly understood by developers can lead to vulnerabilities. This security release provides a more secure access behaviour by default, and fixes incorrectly set menu items in Drupal core.
Access to some pages was not appropriately controlled:
- Any user can edit profile pages of other users.
- Users who can view administration pages are able to edit content types.
- The tracker and blog pages expose information to users without the “access content” permission.
Versions affected
- Drupal 6.x before version 6.2.
Solution
Install the latest version:
- If you are running Drupal 6.x then upgrade to Drupal 6.2.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patch fixes incorrectly set menu items in Drupal core, but does not contain the menu API change which would provide secure defaults. This patch is a temporary solution to be used if modules are required which are still incompatible with the new API changes.
- To patch Drupal 6.1 use SA-2008-026-6.1c.patch.
If you used SA-2008-026-6.1.patch or SA-2008-026-6.1b.patch: the patch was incorrect. Please reverse the patch, such as patch -R, and apply the current patch.
Important notes
It is essential to follow this process when updating:
- First make sure that you are logged in as user number 1 or that your site’s settings.php has $update_free_access = TRUE; so that anyone can access the update.php script while you update the site. We suggest you log in as user 1 because you might have difficulties in gaining write access to your settings file.
- Turn your site into offline mode.
- Then, and only then replace your Drupal source code files with the new ones from Drupal 6.2.
- Run update.php.
- Turn your site back to online mode.
- If you edited your site’s settings.php, make sure to set $update_free_access = FALSE;
If you do not follow the above procedure, and just replace the source files, any attempt to access the site will be greeted with the message: “Fatal error: Call to undefined function user_uid_optional_to_arg() in includes/menu.inc on line 594” and you will have no way to set the site to offline mode on the web interface until you get through update.php.
Contributed modules may require an update to work properly with Drupal 6.2. Failing to update modules will lead to some pages of the affected modules not being accessible.
Note for Module developers
Drupal 6.2 contains two API changes.
- Menu access callbacks are no longer inherited from parent items.
- %user_current has been renamed to %user_uid_optional.
Additional information can be found in Updating your 6.x module to work with 6.2.
Reported by
- The tracker and profile access issue were respectively reported by Peter Wolanin and Greg Knaddison of the Drupal security team.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Drupal version:
CVE-2008-1087 (windows-nt, windows_2000, windows_2003_server, windows_vista, windows_xp)
Stack-based buffer overflow in GDI in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1 and SP2, Vista, and Server 2008 allows remote attackers to execute arbitrary code via an EMF image file with crafted filename parameters, aka “GDI Stack Overflow Vulnerability.”