The Drupal installer allows any visitor to provide credentials for a database when the site’s own database is not reachable. This allows attackers to run arbitrary code on the site’s server.
An immediate workaround is the removal of the file install.php in the Drupal root directory.
Versions affected
Drupal 5.x before Drupal 5.3
Solution
Install the latest version:
If you are running Drupal 5.x then upgrade to Drupal 5.3.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.
In some circumstances Drupal allows user-supplied data to become part of response headers. As this user-supplied data is not always properly escaped, this can be exploited by malicious users to execute HTTP response splitting attacks which may lead to a variety of issues, among them cache poisoning, cross-user defacement and injection of arbitrary code.
Versions affected
Drupal 4.7.x before version 4.7.8.
Drupal 5.x before version 5.3.
Solution
Install the latest version:
If you are running Drupal 4.7.x then upgrade to Drupal 4.7.8.
If you are running Drupal 5.x then upgrade to Drupal 5.3.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.
Buffer overflow in the fcgi_env_add function in mod_proxy_backend_fastcgi.c in the mod_fastcgi extension in lighttpd before 1.4.18 allows remote attackers to overwrite arbitrary CGI variables and execute arbitrary code via an HTTP request with a long content length, as demonstrated by overwriting the SCRIPT_FILENAME variable, aka a “header overflow.” (CVSS:6.8) (Last Update:2008-09-05)
Vulnerability: Multiple cross site scripting vulnerabilities
Description
Some server variables are not escaped consistently. When a malicious user is able to entice a victim to visit a specially crafted link or webpage, arbitrary HTML and script code can be injected and executed in the context of the victim’s session on the targeted website.
Custom content type names are not escaped consistently. A malicious user with the ‘administer content types’ permission would be able to inject and execute arbitrary HTML and script code on the website.
Revoking the ‘administer content types’ permission provides an immediate workaround.
settings.php is one of the files containing vulnerable code. It is therefore critical to replace all of your sites’ settings.php files in subdirectories of sites with the new one from the archive. After you have replaced the files, make sure to edit the value of the $db_url variable to be identical to the value in your old settings.php. This is the information that determines how Drupal connects to a database.
Reported by
The server variables issue was reported by David Caylor.
Content type naming issues were reported by Karthik.
Thanks
The security team wishes to thank Dave, Morten Wulff, Brenda Wallace, Fernando Silva, Gerhard Killesreiter, Brandon Bergren, Bart Jansens and Neil Drumm for technical assistance.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Vulnerability: Multiple cross site request forgeries
Description
Several parts in Drupal core are not protected against cross site request forgeries due to inproper use of the Forms API, or by taking action solely on GET requests. Malicious users are able to delete comments and content revisions and disable menu items by enticing a privileged users to visit certain URLs while the victim is logged-in to the targeted site.
Versions affected
Drupal 5.x before version 5.2.
Solution
Install the latest version:
If you are running Drupal 5.x then upgrade to Drupal 5.2.
Drupal 4.7.x is not affected.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.
request.c in lighttpd 1.4.15 allows remote attackers to cause a denial of service (daemon crash) by sending an HTTP request with duplicate headers, as demonstrated by a request containing two Location header lines, which results in a segmentation fault. (CVSS:5.8) (Last Update:2012-10-30)
lighttpd 1.4.15, when run on 32 bit platforms, allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving the use of incompatible format specifiers in certain debugging messages in the (1) mod_scgi, (2) mod_fastcgi, and (3) mod_webdav modules. (CVSS:4.3) (Last Update:2008-09-05)
connections.c in lighttpd before 1.4.16 might accept more connections than the configured maximum, which allows remote attackers to cause a denial of service (failed assertion) via a large number of connection attempts. (CVSS:4.3) (Last Update:2012-10-30)
mod_access.c in lighttpd 1.4.15 ignores trailing / (slash) characters in the URL, which allows remote attackers to bypass url.access-deny settings. (CVSS:8.3) (Last Update:2012-10-30)