• Advisory ID: DRUPAL-SA-2008-047
• Project: Drupal core
• Version: 5.x, 6.x
• Date: 2008-August-13
• Security risk: Highly critical
• Exploitable from: Remote
• Vulnerability: Multiple vulnerabilities

Description

Multiple vulnerabilities and weaknesses were discovered in Drupal.

Cross site scripting

A bug in the output filter employed by Drupal makes it possible for malicious users to insert script code into pages (cross site scripting or XSS).

A bug in the private filesystem trusts the MIME type sent by the browser, enabling malicious users with the ability to upload files to execute cross site scripting attacks.

These bugs affects both Drupal 5.x and 6.x.

Arbitrary file uploads via BlogAPI

The BlogAPI module does not validate the extension of uploaded files, enabling users with the “administer content with blog api” permission to upload harmful files.

This bug affects both Drupal 5.x and 6.x.

Cross site request forgeries

Drupal forms contain a token to protect against cross site request forgeries (CSRF). The token may not be validated properly for cached forms and forms containing AHAH elements.

This bug affects Drupal 6.x.

User access rules can be added or deleted upon accessing a properly formatted URL, making such modifications vulnerable to cross site request forgeries (CSRF). This may lead to unintended addition or deletion of an access rule when a sufficiently privileged user visits a page or site created by a malicious person.

This bug affects both Drupal 5.x and 6.x.

Various Upload module vulnerabilities

The Upload module in Drupal 6 contains privilege escalation vulnerabilities for users with the “upload files” permission. This can lead to users being able to edit nodes which they are normally not allowed to, delete any file to which the webserver has sufficient rights, and download attachments of nodes to which they have no access. Harmful files may also be uploaded via cross site request forgeries (CSRF).

These bugs affect Drupal 6.x.

Versions affected

• Drupal 5.x before version 5.10
• Drupal 6.x before version 6.4

Solution

Install the latest version:

• If you are running Drupal 5.x then upgrade to Drupal 5.10.
• If you are running Drupal 6.x then upgrade to Drupal 6.4.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

• To patch Drupal 5.9 use SA-2008-047-5.9.patch.
• To patch Drupal 6.3 use SA-2008-047-6.3.patch.

Reported by

• The input filter flaw was reported by Bart Jansens*.
• The private filesystem MIME type issue was reported by Mark Burdett.
• The BlogAPI file upload flaw was independently reported by Gábor Hojtsy* and Mark Burdett.
• The CSRF of cacheable forms and CSRF of uploads was reported by Heine Deelstra*.
• The CSRF of user access rules was reported by Barry Jaspan*.
• The Upload privilege escalation was reported by Damien Tournoud*.
• The arbitrary file deletion issue was reported by John Morahan*.
• The attachment view access bypass issue was reported by Caroline Schnapp.

* Members of the Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

• Advisory ID: DRUPAL-SA-2008-046
• Project: Drupal core
• Version: 5.x
• Date: 2008-July-23
• Security risk: Less critical
• Exploitable from: Remote
• Vulnerability: Session fixation

Description

When contributed modules such as Workflow NG terminate the current request during a login event, user module is not able to regenerate the user’s session. This may lead to a session fixation attack, when a malicious user is able to control another users’ initial session ID. As the session is not regenerated, the malicious user may use the ‘fixed’ session ID after the victim authenticates and will have the same access.

The advisory SA-2008-044 claims that this session fixation vulnerability was fixed in Drupal 5.8 and 6.3. Unfortunately, Drupal 5.8 still contains this vulnerability.

Versions affected

• Drupal 5.x before version 5.9

Solution

Install the latest version:

• If you are running Drupal 5.x then upgrade to Drupal 5.9.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

• To patch Drupal 5.8 use SA-2008-046-5.8.patch.

Reported by

• The session fixation issue was originally reported by Erich C. Beyrent. Its continued existance in 5.8 was reported by dmnd.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

• Advisory ID: DRUPAL-SA-2008-044
• Project: Drupal core
• Version: 5x, 6.x
• Date: 2008-July-9
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Multiple vulnerabilities

Description

Multiple vulnerabities and weaknesses were discovered in Drupal. Neither of these are readily exploitable.

Cross site scripting

Free tagging taxonomy terms can be used to insert arbitrary script and HTML code (cross site scripting or XSS) on node preview pages. A successful exploit requires that the victim selects a term containing script code and chooses to preview the node. This issue affects Drupal 6.x only.

Some values from OpenID providers are output without being properly escaped, allowing malicious providers to insert arbitrary script and HTML code (XSS) into user pages. This issue affects Drupal 6.x only.

filter_xss_admin() has been hardened to prevent use of the object HTML tag in administrator input.

Cross site request forgeries

Translated strings (5.x, 6.x) and OpenID identities (6.x) are immediately deleted upon accessing a properly formatted URL, making such deletion vulnerable to cross site request forgeries (CSRF). This may lead to unintended deletion of translated strings or OpenID identities when a sufficiently privileged user visits a page or site created by a malicious person.

Session fixation

When contributed modules such as Workflow NG terminate the current request during a login event, user module is not able to regenerate the user’s session. This may lead to a session fixation attack, when a malicious user is able to control another users’ initial session ID. As the session is not regenerated, the malicious user may use the ‘fixed’ session ID after the victim authenticates and will have the same access. This issue affects both Drupal 5 and Drupal 6.

SQL injection

Schema API uses an inappropriate placeholder for ‘numeric’ fields enabling SQL injection when user-supplied data is used for such fields.This issue affects Drupal 6 only.

Versions affected

• Drupal 5.x before version 5.8
• Drupal 6.x before version 6.3

Solution

Install the latest version:

• If you are running Drupal 5.x then upgrade to Drupal 5.8.
• If you are running Drupal 6.x then upgrade to Drupal 6.3.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

• To patch Drupal 5.7 use SA-2008-044-5.7.patch.
• To patch Drupal 6.2 use SA-2008-044-6.2.patch.

Note for site administrators

Drupal 5.8 and 6.3 no longer support the use of the object HTML tag in many text supplied by administrators. Such texts include the mission statement and taxonomy term descriptions.

Notes for developers

Drupal 6.3 has the new db_query placeholder %n for numeric fields (DECIMAL, NUMERIC). Custom queries should be updated to reflect this change.

Reported by

• The session fixation issue was reported by Erich C. Beyrent.
• The Taxonomy term XSS issue was reported by John Morahan.
• The OpenID CSRF issue was reported by Peter Wolanin (Drupal security team).
• The OpenID XSS issue was reported by Neil Drumm (Drupal security team).
• The locale CSRF issue and the numeric SQL injection issue were reported by Heine Deelstra (Drupal security team).

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

• Advisory ID: DRUPAL-SA-2008-026
• Project: Drupal core
• Version: 6.x
• Date: 2008-April-09
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Access bypass

Description

The menu system routes page requests to appropriate handlers. It also determines whether a user has access to pages based on several criteria, such as permissions assigned to a role. Drupal 6 features an entirely revised menu system, including changes to the way access is dealt with, which if not properly understood by developers can lead to vulnerabilities. This security release provides a more secure access behaviour by default, and fixes incorrectly set menu items in Drupal core.

Access to some pages was not appropriately controlled:

• Any user can edit profile pages of other users.
• Users who can view administration pages are able to edit content types.
• The tracker and blog pages expose information to users without the “access content” permission.

Versions affected

• Drupal 6.x before version 6.2.

Solution

Install the latest version:

• If you are running Drupal 6.x then upgrade to Drupal 6.2.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patch fixes incorrectly set menu items in Drupal core, but does not contain the menu API change which would provide secure defaults. This patch is a temporary solution to be used if modules are required which are still incompatible with the new API changes.

• To patch Drupal 6.1 use SA-2008-026-6.1c.patch.

If you used SA-2008-026-6.1.patch or SA-2008-026-6.1b.patch: the patch was incorrect. Please reverse the patch, such as patch -R, and apply the current patch.

Important notes

It is essential to follow this process when updating:

• First make sure that you are logged in as user number 1 or that your site’s settings.php has $update_free_access = TRUE; so that anyone can access the update.php script while you update the site. We suggest you log in as user 1 because you might have difficulties in gaining write access to your settings file.
• Turn your site into offline mode.
• Then, and only then replace your Drupal source code files with the new ones from Drupal 6.2.
• Run update.php.
• Turn your site back to online mode.
• If you edited your site’s settings.php, make sure to set $update_free_access = FALSE;

If you do not follow the above procedure, and just replace the source files, any attempt to access the site will be greeted with the message: “Fatal error: Call to undefined function user_uid_optional_to_arg() in includes/menu.inc on line 594” and you will have no way to set the site to offline mode on the web interface until you get through update.php.

Contributed modules may require an update to work properly with Drupal 6.2. Failing to update modules will lead to some pages of the affected modules not being accessible.

Note for Module developers

Drupal 6.2 contains two API changes.

• Menu access callbacks are no longer inherited from parent items.
• %user_current has been renamed to %user_uid_optional.

Additional information can be found in Updating your 6.x module to work with 6.2.

Reported by

• The tracker and profile access issue were respectively reported by Peter Wolanin and Greg Knaddison of the Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

• Advisory ID: DRUPAL-SA-2008-018
• Project: Drupal core
• Version: 6.0
• Date: 2008-February-27
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Multiple cross site scripting vulnerabilities

Description

Titles are not escaped prior to being displayed on content edit forms, allowing users to inject arbitrary HTML and script code into these pages.

The Drupal.checkPlain function, used to escape text in ECMAScript, contains a bug which causes it to escape only the first instance of a character, allowing users to inject arbitrary HTML and script code in certain pages.

Wikipedia has more information about cross site scripting (XSS).

Versions affected

• Drupal 6.x before version 6.1.

Solution

Install the latest version:

• Upgrade to Drupal 6.1.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

• To patch Drupal 6.0 use SA-2008-018-6.0.patch.

Reported by

• Steve McKenzie discovered the ECMAScript issue
• The Drupal security team

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

• Advisory ID: DRUPAL-SA-2008-007
• Project: Drupal core
• Version: 4.7.x, 5.x
• Date: 2008-January-10
• Security risk: Less critical
• Exploitable from: Remote
• Vulnerability: Cross site scripting when register_globals is enabled.

Description

When theme .tpl.php files are accessible via the web and the PHP setting register_globals is set to enabled, anonymous users are able to execute cross site scripting attacks via specially crafted links.

Drupals .htaccess attempts to set register_globals to disabled and also prevents access to .tpl.php files. Only when both these measures are not effective and your PHP interpreter is configured with register_globals set to enabled, will this issue affect you.

Versions affected

• Drupal 4.7.x
• Drupal 5.x

Solutions

1. Disable register_globals. Please refer to the PHP documentation on information how to configure PHP.
2. Ensure .tpl.php files are not accessible via the web.

Drupal 4.7.11 and 5.6 will present a warning on the administration page when register_globals is enabled. Drupal 5.6 will refuse installation on an insecurely configured server. Existing sites will continue to work.

Reported by

Ultra Security Research.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

• Advisory ID: DRUPAL-SA-2008-006
• Project: Drupal core
• Version: 4.7.x, 5.x
• Date: 2008-January-10
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross site scripting

Description

When outputting plaintext Drupal strips potentially dangerous HTML tags and attributes from HTML, and escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.

Certain byte sequences that are invalid in the UTF8 specification are not handled properly by Internet Explorer 6 and may lead it to see a multibyte start character where none is present. Internet Explorer 6 then consumes a number of subsequent UTF-8 characters. This may lead to unsafe attributes that were outside a tag for the filter to appear inside a tag for Internet Explorer 6. This behaviour can then be used to insert and execute javascript in the context of the website.

Wikipedia has more information about cross site scripting (XSS).

Versions affected

• Drupal 4.7.x before version 4.7.11.
• Drupal 5.x before version 5.6.

Solution

Install the latest version:

• If you are running Drupal 4.7.x then upgrade to Drupal 4.7.11.
• If you are running Drupal 5.x then upgrade to Drupal 5.6.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

• To patch Drupal 4.7.10 use SA-2008-006-4.7.10.patch.
• To patch Drupal 5.5 use SA-2008-006-5.5.patch.

Important note

Drupal 4.7.11 and 5.6 now require PHP 4.3.5 or higher as the minimum version.

Use of modules that purposely insert bytes that are invalid UTF-8 characters, such as GeSHi Filter and Code Filter will cause any text using the filter to not be displayed. Disable the modules until a solution has been found.

Reported by

The vulnerability was discovered during an audit of Drupal core by Stefan Esser, Mayflower GmbH and Zend.

The Drupal security team wants to thank Die Zeit, who commissioned the audit, for sharing the results.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

• Advisory ID: DRUPAL-SA-2008-005
• Project: Drupal core
• Version: 4.7.x, 5.x
• Date: 2008-January-10
• Security risk: Less critical
• Exploitable from: Remote
• Vulnerability: Cross site request forgery

Description

The aggregator module fetches items from RSS feeds and makes them available on the site. The module provides an option to remove items from a particular feed. This has been implemented as a simple GET request and is therefore vulnerable to cross site request forgeries. For example: Should a privileged user view a page containing an <img> tag with a specially constructed src pointing to a remove items URL, the items would be removed.

Versions affected

• Drupal 4.7.x before version 4.7.11.
• Drupal 5.x before version 5.6.

Solution

Install the latest version:

• If you are running Drupal 4.7.x then upgrade to Drupal 4.7.11.
• If you are running Drupal 5.x then upgrade to Drupal 5.6.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

• To patch Drupal 4.7.10 use SA-2008-005-4.7.10.patch.
• To patch Drupal 5.5 use SA-2008-005-5.5.patch.

Reported by

The Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

• Advisory ID: DRUPAL-SA-2007-031
• Project: Drupal core
• Version: 4.7.x, 5.x
• Date: 2007-December-05
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: SQL Injection

Description

The function taxonomy_select_nodes() directly injects variables into SQL queries instead of using placeholders. While taxonomy module itself validates the input passed to taxonomy_select_nodes(), this is a weakness in Drupal core. Several contributed modules, such as taxonomy_menu, ajaxLoader, and ubrowser, directly pass user input to taxonomy_select_nodes(), enabling SQL injection attacks by anonymous users.

To learn more about SQL injection, please read this article.

Versions affected

• Drupal 4.7.x before Drupal 4.7.9
• Drupal 5.x before Drupal 5.4

Solution

Install the latest version:

• If you are running Drupal 4.7.x then upgrade to Drupal 4.7.9.
• If you are running Drupal 5.x then upgrade to Drupal 5.4.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

• To patch Drupal 4.7.8 use SA-2007-031-4.7.8.patch.
• To patch Drupal 5.3 use SA-2007-031-5.3.patch.

Reported by

• Nadid Skywalker
• Ivan Sergio Borgonovo

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

• Advisory ID: DRUPAL-SA-2007-030
• Project: Drupal core
• Version: 4.7.x, 5.x
• Date: 2007-October-17
• Security risk: Not critical
• Exploitable from: Remote
• Vulnerability: Access bypass

Description

The publication status of comments is not passed during the hook_comments API operation, causing various modules that rely on the publication status (such as Organic groups, or Subscriptions) to mail out unpublished comments.

Versions affected

• Drupal 4.7.x before version 4.7.8
• Drupal 5.x before version 5.3.

Solution

Install the latest version:

• If you are running Drupal 4.7.x then upgrade to Drupal 4.7.8.
• If you are running Drupal 5.x then upgrade to Drupal 5.3.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

• To patch Drupal 4.7.x use SA-2007-030-4.7.7.patch.
• To patch Drupal 5.2 use SA-2007-030-5.2.patch.

Reported by

The Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.