Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0039 -- [Win][UNIX/Linux] Drupal Core - Multiple Vulnerabilities 11 January 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Drupal Core Publisher: Drupal Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact: Cross-site Scripting Provide Misleading Information Access: Remote/Unauthenticated Original Bulletin: http://drupal.org/node/208562 http://drupal.org/node/208564 http://drupal.org/node/208565 Comment: This bulletin contains three (3) Drupal Security Advisories - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------SA-2008-005 - DRUPAL CORE - CROSS SITE REQUEST FORGERY------------ * Advisory ID: DRUPAL-SA-2008-005 * Project: Drupal core * Version: 4.7.x, 5.x * Date: 2008-January-10 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross site request forgery - ------------DESCRIPTION------------ The aggregator module fetches items from RSS feeds and makes them available on the site. The module provides an option to remove items from a particular feed. This has been implemented as a simple GET request and is therefore vulnerable to cross site request forgeries. For example: Should a privileged user view a page containing an tag with a specially constructed src pointing to a remove items URL, the items would be removed. - ------------VERSIONS AFFECTED------------ * Drupal 4.7.x before version 4.7.11. * Drupal 5.x before version 5.6. - ------------SOLUTION------------ Install the latest version: * If you are running Drupal 4.7.x then upgrade to Drupal 4.7.11 [ http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz ]. * If you are running Drupal 5.x then upgrade to Drupal 5.6 [ http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz ]. If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. * To patch Drupal 4.7.10 use SA-2008-005-4.7.10.patch [ http://drupal.org/files/sa-2008-005/SA-2008-005-4.7.10.patch ]. * To patch Drupal 5.5 use SA-2008-005-5.5.patch [ http://drupal.org/files/sa-2008-005/SA-2008-005-5.5.patch ]. - ------------REPORTED BY------------ The Drupal security team. - ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ]. - ------------SA-2008-006 - DRUPAL CORE - CROSS SITE SCRIPTING (UTF8)------------ * Advisory ID: DRUPAL-SA-2008-006 * Project: Drupal core * Version: 4.7.x, 5.x * Date: 2008-January-10 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross site scripting - ------------DESCRIPTION------------ When outputting plaintext Drupal strips potentially dangerous HTML tags and attributes from HTML, and escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input. Certain byte sequences that are invalid in the UTF8 specification are not handled properly by Internet Explorer 6 and may lead it to see a multibyte start character where none is present. Internet Explorer 6 then consumes a number of subsequent UTF-8 characters. This may lead to unsafe attributes that were outside a tag for the filter to appear inside a tag for Internet Explorer 6. This behaviour can then be used to insert and execute javascript in the context of the website. Wikipedia has more information about cross site scripting [ http://en.wikipedia.org/wiki/Xss ] (XSS). - ------------VERSIONS AFFECTED------------ * Drupal 4.7.x before version 4.7.11. * Drupal 5.x before version 5.6. - ------------SOLUTION------------ Install the latest version: * If you are running Drupal 4.7.x then upgrade to Drupal 4.7.11 [ http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz ]. * If you are running Drupal 5.x then upgrade to Drupal 5.6 [ http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz ]. If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. * To patch Drupal 4.7.10 use SA-2008-006-4.7.10.patch [ http://drupal.org/files/sa-2008-006/SA-2008-006-4.7.10.patch ]. * To patch Drupal 5.5 use SA-2008-006-5.5.patch [ http://drupal.org/files/sa-2008-006/SA-2008-006-5.5.patch ]. - ------------IMPORTANT NOTE------------ Drupal 4.7.11 and 5.6 now require PHP 4.3.5 or higher as the minimum version. Use of modules that purposely insert bytes that are invalid UTF-8 characters, such as GeSHi Filter [ http://drupal.org//project/geshifilter ] and Code Filter [ http://drupal.org//project/codefilter ] will cause any text using the filter to not be displayed. Disable the modules until a solution has been found. - ------------REPORTED BY------------ The vulnerability was discovered during an audit of Drupal core by Stefan Esser, Mayflower GmbH and Zend. The Drupal security team wants to thank Die Zeit [ http://www.zeit.de/ ], who commissioned the audit, for sharing the results. - ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ]. - ------------SA-2008-007 - DRUPAL CORE - CROSS SITE SCRIPTING (REGISTER_GLOBALS)------------ * Advisory ID: DRUPAL-SA-2008-007 * Project: Drupal core * Version: 4.7.x, 5.x * Date: 2008-January-10 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross site scripting when register_globals is enabled. - ------------DESCRIPTION------------ When theme .tpl.php files are accessible via the web and the PHP setting register_globals is set to enabled, anonymous users are able to execute cross site scripting attacks via specially crafted links. Drupals .htaccess attempts to set register_globals to disabled and also prevents access to .tpl.php files. Only when both these measures are not effective and your PHP interpreter is configured with register_globals set to enabled, will this issue affect you. - ------------VERSIONS AFFECTED------------ * Drupal 4.7.x * Drupal 5.x - ------------SOLUTIONS------------ * Disable register_globals. Please refer to the PHP documentation [ http://www.php.net/configuration.changes ] on information how to configure PHP. * Ensure .tpl.php files are not accessible via the web. Drupal 4.7.11 and 5.6 will present a warning on the administration page when register_globals is enabled. Drupal 5.6 will refuse installation on an insecurely configured server. Existing sites will continue to work. - ------------REPORTED BY------------ Ultra Security Research. - ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ]. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBR4b6iyh9+71yA2DNAQKk2QP/QYlkN9uQXJz7i5EzU8U3KVDb/nNNeWlO HP1QTxv2KTATY4020A6JZRFkcx+C19uUZ2HL5VdQBmHL54nYubvcvCecTEwdGvqd 4IHd8UAbGxqyMP5slM2AQZ6NHAuyo5gXfVOpZnLMpTIB3NCU8hikEYyiiA7rvXyf NmFBLhtTRII= =00vW -----END PGP SIGNATURE-----