CVE-2007-1576 (phprojekt)

Multiple cross-site scripting (XSS) vulnerabilities in PHProjekt 5.2.0, when magic_quotes_gpc is disabled, allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors to the (1) Projects, (2) Contacts, (3) Helpdesk, (4) Search (only Gecko engine driven Browsers), and (5) Notes modules; the (6) Mail summary page; and unspecified other files.

DRUPAL-SA-2007-005 – Drupal core – Arbitrary code execution

  • Advisory ID: DRUPAL-SA-2007-005
  • Project: Drupal core
  • Version: 4.7.x, 5.x
  • Date: 2007-Jan-29
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Arbitrary code execution

Description

Previews on comments were not passed through normal form validation routines, enabling users with the ‘post comments’ permission and access to more than one input filter to execute arbitrary code. By default, anonymous and authenticated users have access to only one input format.

Immediate workarounds include: disabling the comment module, revoking the ‘post comments’ permission for all users or limiting access to one input format.

Versions affected

  • Drupal 4.7.x before version 4.7.6.
  • Drupal 5.x before version 5.1.

Solution

Install the latest version:

  • If you are running Drupal 4.7.x then upgrade to Drupal 4.7.6.
  • If you are running Drupal 5.0 then upgrade to Drupal 5.1.

Reported by

The Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version: 

CVE-2007-0236

Double free vulnerability in the _ATPsndrsp function in Apple Mac OS X 10.4.8, and possibly other versions, allows remote attackers to cause a denial of service (kernel panic) and possibly execute arbitrary code via a crafted AppleTalk request that triggers a heap-based buffer overflow. (CVSS:10.0) (Last Update:2008-09-05)

Drupal core – Denial of service

  • Advisory ID: DRUPAL-SA-2007-002.
  • Project: Drupal Core.
  • Version: 4.6, 4.7
  • Date: 2007-Jan-05.
  • Security risk: Less critical.
  • Exploitable from: Remote.
  • Vulnerability: Denial of service.

Description

The way page caching was implemented allows a denial of service attack. An attacker has to have the ability to post content on the site. He or she would then be able to poison the page cache, so that it returns cached 404 page not found errors for existing pages.

If the page cache is not enabled, your site is not vulnerable. The vulnerability only affects sites running on top of MySQL.

Versions affected

  • Drupal 4.6.x versions before Drupal 4.6.11.
  • Drupal 4.7.x versions before Drupal 4.7.5.

Solution

Reported by

The Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal core – Cross site scripting

  • Advisory ID: DRUPAL-SA-2007-001.
  • Project: Drupal Core.
  • Version: 4.6, 4.7.
  • Date: 2007-Jan-05.
  • Security risk: Less critical.
  • Exploitable from: Remote.
  • Vulnerability: Cross site scripting.

Description

A few arguments passed via URLs are not properly sanitized before display. When an attacker is able to entice an administrator to follow a specially crafted link, arbitrary HTML and script code can be injected and executed in the victim’s session. Such an attack may lead to administrator access if certain conditions are met. Learn more about XSS on Wikipedia.

Versions affected

  • Drupal 4.6.x versions before Drupal 4.6.11.
  • Drupal 4.7.x versions before Drupal 4.7.5.

Solution

Reported by

Anonymous via JPCERT.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

DRUPAL-SA-2006-026 – Drupal core – Form action attribute injection

  • Advisory ID: DRUPAL-SA-2006-026
  • Project: Drupal core
  • Date: 2006-Oct-18
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: HTML attribute injection

Description

A malicious user may entice users to visit a specially crafted URL that may result in the redirection of Drupal form submission to a third-party site. A user visiting the user registration page via such a url, for example, will submit all data, such as his/her e-mail address, but also possible private profile data, to a third-party site.

Versions affected

  • Drupal 4.6.x versions before Drupal 4.6.10
  • Drupal 4.7.x versions before Drupal 4.7.4

Solution

  • If you are running Drupal 4.6.x then upgrade to Drupal 4.6.10.
  • If you are running Drupal 4.7.x then upgrade to Drupal 4.7.4.

Please note that the patches only contain changes related to this advisory, and do not fix bugs that were solved in 4.6.10 or 4.7.4.

Reported by

Frederic Marand.

Contact

The security contact for Drupal can be reached at security at drupal.org or using the form at http://drupal.org/contact.

Drupal version: 

CVE-2006-2489

Integer overflow in CGI scripts in Nagios 1.x before 1.4.1 and 2.x before 2.3.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a content length (Content-Length) HTTP header. NOTE: this is a different vulnerability than CVE-2006-2162. (CVSS:7.5) (Last Update:2008-09-05)

Software and Security Information