All posts by 007admin

Drupal

SA-2008-047 – Drupal core – Multiple vulnerabilities

  • Advisory ID: DRUPAL-SA-2008-047
  • Project: Drupal core
  • Version: 5.x, 6.x
  • Date: 2008-August-13
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities

Description

Multiple vulnerabilities and weaknesses were discovered in Drupal.

Cross site scripting

A bug in the output filter employed by Drupal makes it possible for malicious users to insert script code into pages (cross site scripting or XSS).

A bug in the private filesystem trusts the MIME type sent by the browser, enabling malicious users with the ability to upload files to execute cross site scripting attacks.

These bugs affects both Drupal 5.x and 6.x.

Arbitrary file uploads via BlogAPI

The BlogAPI module does not validate the extension of uploaded files, enabling users with the “administer content with blog api” permission to upload harmful files.

This bug affects both Drupal 5.x and 6.x.

Cross site request forgeries

Drupal forms contain a token to protect against cross site request forgeries (CSRF). The token may not be validated properly for cached forms and forms containing AHAH elements.

This bug affects Drupal 6.x.

User access rules can be added or deleted upon accessing a properly formatted URL, making such modifications vulnerable to cross site request forgeries (CSRF). This may lead to unintended addition or deletion of an access rule when a sufficiently privileged user visits a page or site created by a malicious person.

This bug affects both Drupal 5.x and 6.x.

Various Upload module vulnerabilities

The Upload module in Drupal 6 contains privilege escalation vulnerabilities for users with the “upload files” permission. This can lead to users being able to edit nodes which they are normally not allowed to, delete any file to which the webserver has sufficient rights, and download attachments of nodes to which they have no access. Harmful files may also be uploaded via cross site request forgeries (CSRF).

These bugs affect Drupal 6.x.

Versions affected

  • Drupal 5.x before version 5.10
  • Drupal 6.x before version 6.4

Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.10.
  • If you are running Drupal 6.x then upgrade to Drupal 6.4.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

Reported by

* Members of the Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: 
Drupal 5.x
Drupal 6.x
Drupal

SA-2008-046 – Drupal core – Session fixation

  • Advisory ID: DRUPAL-SA-2008-046
  • Project: Drupal core
  • Version: 5.x
  • Date: 2008-July-23
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Session fixation

Description

When contributed modules such as Workflow NG terminate the current request during a login event, user module is not able to regenerate the user’s session. This may lead to a session fixation attack, when a malicious user is able to control another users’ initial session ID. As the session is not regenerated, the malicious user may use the ‘fixed’ session ID after the victim authenticates and will have the same access.

The advisory SA-2008-044 claims that this session fixation vulnerability was fixed in Drupal 5.8 and 6.3. Unfortunately, Drupal 5.8 still contains this vulnerability.

Versions affected

  • Drupal 5.x before version 5.9

Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.9.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

Reported by

  • The session fixation issue was originally reported by Erich C. Beyrent. Its continued existance in 5.8 was reported by dmnd.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: 
Drupal 5.x
Symantec

New Feature – KUDOS

Hi everyone,
 
There’s a new feature we’ve just implemented for the “Norton Forums BETA” – Kudos!
 
Kudos are a way for you to give approval to content that you think is helpful, well-formed, insightful, or otherwise generally valuable in the community. When you give kudos to a message, you are not only offering a thumbs up for good content, but also a pat on the back to its author. Kudos also allow Moderators and Administrators to identify and organize the content that you are likely to find most relevant.
 
Here’s how you do it: Simply click the “Kudos!” button to give a kudo to the message and its author. The author of a message cannot kudo his/her own messages; Also, you can only kudo a message once.

 

If you have any questions or concerns about this new feature, please let us know on the Forum Feedback Board. Thanks! 

Apple

CVE-2008-2304

Buffer overflow in Apple Core Image Fun House 2.0 and earlier in CoreImage Examples in Xcode tools before 3.1 allows user-assisted attackers to execute arbitrary code or cause a denial of service (application crash) via a .funhouse file with a string XML element that contains many characters. (CVSS:6.8) (Last Update:2009-01-29)

Drupal

SA-2008-044 – Drupal core – Multiple vulnerabilities

  • Advisory ID: DRUPAL-SA-2008-044
  • Project: Drupal core
  • Version: 5x, 6.x
  • Date: 2008-July-9
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities

Description

Multiple vulnerabities and weaknesses were discovered in Drupal. Neither of these are readily exploitable.

Cross site scripting

Free tagging taxonomy terms can be used to insert arbitrary script and HTML code (cross site scripting or XSS) on node preview pages. A successful exploit requires that the victim selects a term containing script code and chooses to preview the node. This issue affects Drupal 6.x only.

Some values from OpenID providers are output without being properly escaped, allowing malicious providers to insert arbitrary script and HTML code (XSS) into user pages. This issue affects Drupal 6.x only.

filter_xss_admin() has been hardened to prevent use of the object HTML tag in administrator input.

Cross site request forgeries

Translated strings (5.x, 6.x) and OpenID identities (6.x) are immediately deleted upon accessing a properly formatted URL, making such deletion vulnerable to cross site request forgeries (CSRF). This may lead to unintended deletion of translated strings or OpenID identities when a sufficiently privileged user visits a page or site created by a malicious person.

Session fixation

When contributed modules such as Workflow NG terminate the current request during a login event, user module is not able to regenerate the user’s session. This may lead to a session fixation attack, when a malicious user is able to control another users’ initial session ID. As the session is not regenerated, the malicious user may use the ‘fixed’ session ID after the victim authenticates and will have the same access. This issue affects both Drupal 5 and Drupal 6.

SQL injection

Schema API uses an inappropriate placeholder for ‘numeric’ fields enabling SQL injection when user-supplied data is used for such fields.This issue affects Drupal 6 only.

Versions affected

  • Drupal 5.x before version 5.8
  • Drupal 6.x before version 6.3

Solution

Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.8.
  • If you are running Drupal 6.x then upgrade to Drupal 6.3.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

Note for site administrators

Drupal 5.8 and 6.3 no longer support the use of the object HTML tag in many text supplied by administrators. Such texts include the mission statement and taxonomy term descriptions.

Notes for developers

Drupal 6.3 has the new db_query placeholder %n for numeric fields (DECIMAL, NUMERIC). Custom queries should be updated to reflect this change.

Reported by

  • The session fixation issue was reported by Erich C. Beyrent.
  • The Taxonomy term XSS issue was reported by John Morahan.
  • The OpenID CSRF issue was reported by Peter Wolanin (Drupal security team).
  • The OpenID XSS issue was reported by Neil Drumm (Drupal security team).
  • The locale CSRF issue and the numeric SQL injection issue were reported by Heine Deelstra (Drupal security team).

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: 
Drupal 5.x
Drupal 6.x
Perl

CVE-2008-2827

The rmtree function in lib/File/Path.pm in Perl 5.10 does not properly check permissions before performing a chmod, which allows local users to modify the permissions of arbitrary files via a symlink attack, a different vulnerability than CVE-2005-0448 and CVE-2004-0452. (CVSS:4.6) (Last Update:2008-11-25)

NVD

CVE-2008-1444 (directx)

Stack-based buffer overflow in Microsoft DirectX 7.0 and 8.1 on Windows 2000 SP4 allows remote attackers to execute arbitrary code via a Synchronized Accessible Media Interchange (SAMI) file with crafted parameters for a Class Name variable, aka the “SAMI Format Parsing Vulnerability.”

NVD

CVE-2008-1440 (windows, windows_xp)

Microsoft Windows XP SP2 and SP3, and Server 2003 SP1 and SP2, does not properly validate the option length field in Pragmatic General Multicast (PGM) packets, which allows remote attackers to cause a denial of service (infinite loop and system hang) via a crafted PGM packet, aka the “PGM Invalid Length Vulnerability.”