Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0039 -- [Win][UNIX/Linux]
Drupal Core - Multiple Vulnerabilities
11 January 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Drupal Core
Publisher: Drupal
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Cross-site Scripting
Provide Misleading Information
Access: Remote/Unauthenticated
Original Bulletin: http://drupal.org/node/208562
http://drupal.org/node/208564
http://drupal.org/node/208565
Comment: This bulletin contains three (3) Drupal Security Advisories
- --------------------------BEGIN INCLUDED TEXT--------------------
- ------------SA-2008-005 - DRUPAL CORE - CROSS SITE REQUEST FORGERY------------
* Advisory ID: DRUPAL-SA-2008-005
* Project: Drupal core
* Version: 4.7.x, 5.x
* Date: 2008-January-10
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Cross site request forgery
- ------------DESCRIPTION------------
The aggregator module fetches items from RSS feeds and makes them available on
the site. The module provides an option to remove items from a particular feed.
This has been implemented as a simple GET request and is therefore vulnerable to
cross site request forgeries. For example: Should a privileged user view a page
containing an tag with a specially constructed src pointing to a remove items
URL, the items would be removed.
- ------------VERSIONS AFFECTED------------
* Drupal 4.7.x before version 4.7.11.
* Drupal 5.x before version 5.6.
- ------------SOLUTION------------
Install the latest version:
* If you are running Drupal 4.7.x then upgrade to Drupal 4.7.11 [
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz ].
* If you are running Drupal 5.x then upgrade to Drupal 5.6 [
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz ].
If you are unable to upgrade immediately, you can apply a patch to secure your
installation until you are able to do a proper upgrade.
* To patch Drupal 4.7.10 use SA-2008-005-4.7.10.patch [
http://drupal.org/files/sa-2008-005/SA-2008-005-4.7.10.patch ].
* To patch Drupal 5.5 use SA-2008-005-5.5.patch [
http://drupal.org/files/sa-2008-005/SA-2008-005-5.5.patch ].
- ------------REPORTED BY------------
The Drupal security team.
- ------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].
- ------------SA-2008-006 - DRUPAL CORE - CROSS SITE SCRIPTING (UTF8)------------
* Advisory ID: DRUPAL-SA-2008-006
* Project: Drupal core
* Version: 4.7.x, 5.x
* Date: 2008-January-10
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting
- ------------DESCRIPTION------------
When outputting plaintext Drupal strips potentially dangerous HTML tags and
attributes from HTML, and escapes characters which have a special meaning in
HTML. This output filtering secures the site against cross site scripting
attacks via user input.
Certain byte sequences that are invalid in the UTF8 specification are not
handled properly by Internet Explorer 6 and may lead it to see a multibyte start
character where none is present. Internet Explorer 6 then consumes a number of
subsequent UTF-8 characters. This may lead to unsafe attributes that were
outside a tag for the filter to appear inside a tag for Internet Explorer 6.
This behaviour can then be used to insert and execute javascript in the context
of the website.
Wikipedia has more information about cross site scripting [
http://en.wikipedia.org/wiki/Xss ] (XSS).
- ------------VERSIONS AFFECTED------------
* Drupal 4.7.x before version 4.7.11.
* Drupal 5.x before version 5.6.
- ------------SOLUTION------------
Install the latest version:
* If you are running Drupal 4.7.x then upgrade to Drupal 4.7.11 [
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz ].
* If you are running Drupal 5.x then upgrade to Drupal 5.6 [
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz ].
If you are unable to upgrade immediately, you can apply a patch to secure your
installation until you are able to do a proper upgrade.
* To patch Drupal 4.7.10 use SA-2008-006-4.7.10.patch [
http://drupal.org/files/sa-2008-006/SA-2008-006-4.7.10.patch ].
* To patch Drupal 5.5 use SA-2008-006-5.5.patch [
http://drupal.org/files/sa-2008-006/SA-2008-006-5.5.patch ].
- ------------IMPORTANT NOTE------------
Drupal 4.7.11 and 5.6 now require PHP 4.3.5 or higher as the minimum version.
Use of modules that purposely insert bytes that are invalid UTF-8 characters,
such as GeSHi Filter [ http://drupal.org//project/geshifilter ] and Code Filter
[ http://drupal.org//project/codefilter ] will cause any text using the filter
to not be displayed. Disable the modules until a solution has been found.
- ------------REPORTED BY------------
The vulnerability was discovered during an audit of Drupal core by Stefan
Esser, Mayflower GmbH and Zend.
The Drupal security team wants to thank Die Zeit [ http://www.zeit.de/ ], who
commissioned the audit, for sharing the results.
- ------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].
- ------------SA-2008-007 - DRUPAL CORE - CROSS SITE SCRIPTING
(REGISTER_GLOBALS)------------
* Advisory ID: DRUPAL-SA-2008-007
* Project: Drupal core
* Version: 4.7.x, 5.x
* Date: 2008-January-10
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting when register_globals is enabled.
- ------------DESCRIPTION------------
When theme .tpl.php files are accessible via the web and the PHP setting
register_globals is set to enabled, anonymous users are able to execute cross
site scripting attacks via specially crafted links.
Drupals .htaccess attempts to set register_globals to disabled and also
prevents access to .tpl.php files. Only when both these measures are not
effective and your PHP interpreter is configured with register_globals set to
enabled, will this issue affect you.
- ------------VERSIONS AFFECTED------------
* Drupal 4.7.x
* Drupal 5.x
- ------------SOLUTIONS------------
* Disable register_globals. Please refer to the PHP documentation [
http://www.php.net/configuration.changes ] on information how to configure PHP.
* Ensure .tpl.php files are not accessible via the web.
Drupal 4.7.11 and 5.6 will present a warning on the administration page when
register_globals is enabled. Drupal 5.6 will refuse installation on an
insecurely configured server. Existing sites will continue to work.
- ------------REPORTED BY------------
Ultra Security Research.
- ------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBR4b6iyh9+71yA2DNAQKk2QP/QYlkN9uQXJz7i5EzU8U3KVDb/nNNeWlO
HP1QTxv2KTATY4020A6JZRFkcx+C19uUZ2HL5VdQBmHL54nYubvcvCecTEwdGvqd
4IHd8UAbGxqyMP5slM2AQZ6NHAuyo5gXfVOpZnLMpTIB3NCU8hikEYyiiA7rvXyf
NmFBLhtTRII=
=00vW
-----END PGP SIGNATURE-----