When outputting plaintext Drupal strips potentially dangerous HTML tags and attributes from HTML, and escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.
Certain byte sequences that are invalid in the UTF8 specification are not handled properly by Internet Explorer 6 and may lead it to see a multibyte start character where none is present. Internet Explorer 6 then consumes a number of subsequent UTF-8 characters. This may lead to unsafe attributes that were outside a tag for the filter to appear inside a tag for Internet Explorer 6. This behaviour can then be used to insert and execute javascript in the context of the website.
Drupal 4.7.11 and 5.6 now require PHP 4.3.5 or higher as the minimum version.
Use of modules that purposely insert bytes that are invalid UTF-8 characters, such as GeSHi Filter and Code Filter will cause any text using the filter to not be displayed. Disable the modules until a solution has been found.
Reported by
The vulnerability was discovered during an audit of Drupal core by Stefan Esser, Mayflower GmbH and Zend.
The Drupal security team wants to thank Die Zeit, who commissioned the audit, for sharing the results.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
The aggregator module fetches items from RSS feeds and makes them available on the site. The module provides an option to remove items from a particular feed. This has been implemented as a simple GET request and is therefore vulnerable to cross site request forgeries. For example: Should a privileged user view a page containing an <img> tag with a specially constructed src pointing to a remove items URL, the items would be removed.
Versions affected
Drupal 4.7.x before version 4.7.11.
Drupal 5.x before version 5.6.
Solution
Install the latest version:
If you are running Drupal 4.7.x then upgrade to Drupal 4.7.11.
If you are running Drupal 5.x then upgrade to Drupal 5.6.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.
Stack-based buffer overflow in SMB in Apple Mac OS X 10.4.11 allows local users to execute arbitrary code via (1) a long workgroup (-W) option to mount_smbfs or (2) an unspecified manipulation of the command line to smbutil. (CVSS:6.6) (Last Update:2008-09-05)
The accept_connections function in the virtual private network daemon (vpnd) in Apple Mac OS X 10.5 before 10.5.4 allows remote attackers to cause a denial of service (divide-by-zero error and daemon crash) via a crafted load balancing packet to UDP port 4112. (CVSS:7.8) (Last Update:2011-07-18)
The function taxonomy_select_nodes() directly injects variables into SQL queries instead of using placeholders. While taxonomy module itself validates the input passed to taxonomy_select_nodes(), this is a weakness in Drupal core. Several contributed modules, such as taxonomy_menu, ajaxLoader, and ubrowser, directly pass user input to taxonomy_select_nodes(), enabling SQL injection attacks by anonymous users.
Perl-Compatible Regular Expression (PCRE) library before 6.7 allows context-dependent attackers to cause a denial of service (error or crash) via a regular expression that involves a “malformed POSIX character class”, as demonstrated via an invalid character after a [[ sequence. (CVSS:4.3) (Last Update:2010-08-21)
Cross-site scripting (XSS) vulnerability in Nagios 2.x before 2.10 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts. (CVSS:4.3) (Last Update:2008-09-05)
The publication status of comments is not passed during the hook_comments API operation, causing various modules that rely on the publication status (such as Organic groups, or Subscriptions) to mail out unpublished comments.
Versions affected
Drupal 4.7.x before version 4.7.8
Drupal 5.x before version 5.3.
Solution
Install the latest version:
If you are running Drupal 4.7.x then upgrade to Drupal 4.7.8.
If you are running Drupal 5.x then upgrade to Drupal 5.3.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.
The Drupal Forms API protects against cross site request forgeries (CSRF), where a malicous site can cause a user to unintentionally submit a form to a site where he is authenticated. The user deletion form does not follow the standard Forms API submission model and is therefore not protected against this type of attack. A CSRF attack may result in the deletion of users.
Versions affected
Drupal 5.x before version 5.3.
Solution
Install the latest version:
If you are running Drupal 5.x then upgrade to Drupal 5.3.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.
This vulnerability was discovered during an audit of Drupal 5.1 by Stefan Esser and Mayflower GmbH. This audit was commissioned by die Zeit Online GmbH.
We wish to thank die Zeit Online for sharing the results with us.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
The allowed extension list of the core Upload module contains the extension HTML by default. Such files can be used to execute arbitrary script code in the context of the affected site when a user views the file.
Revoking upload permissions or removing the .html extension from the allowed extension list will stop uploads of malicious files. but will do nothing to protect your site against files that are already present. Carefully inspect the file system path for any HTML files. We recommend you remove any HTML file you did not update yourself. You should look for , CSS includes, Javascript includes, and onerror=”” attributes if you need to review files individually.
Installing the upgrade or using the patch will not remove the .html extensions from an already configured upload module. Visit Administer » Site Configuration » File uploads (admin/settings/uploads) on Drupal 5.x or administer » settings » upload (admin/settings/upload) on Drupal 4.7.x to remove html from the allowed extensions lists.
The steps above will stop uploads of malicious files, but will do nothing to protect your site against files that have already been uploaded. Make sure to carefully inspect the file system path for any HTML files.
Versions affected
Drupal 4.7.x before version 4.7.8.
Drupal 5.x before version 5.3.
Solution
Install the latest version:
If you are running Drupal 4.7.x then upgrade to Drupal 4.7.8.
If you are running Drupal 5.x then upgrade to Drupal 5.3.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.