Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                    ESB-2008.0369 -- [Win][UNIX/Linux]
                        Drupal core - Access bypass
                               10 April 2008


        AusCERT Security Bulletin Summary

Product:              Drupal prior to 6.2
Publisher:            Drupal Core
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact:               Inappropriate Access
Access:               Remote/Unauthenticated

- --------------------------BEGIN INCLUDED TEXT--------------------

- ------------SA-2008-026 - DRUPAL CORE - ACCESS BYPASS ------------

  * Advisory ID: DRUPAL-SA-2008-026

  * Project: Drupal core

  * Version: 6.x

  * Date: 2008-April-09

  * Security risk: Moderately critical

  * Exploitable from: Remote

  * Vulnerability: Access bypass

- ------------DESCRIPTION------------

The menu system routes page requests to appropriate handlers. It also
determines whether a user has access to pages based on several criteria, such as
permissions assigned to a role. Drupal 6 features an entirely revised menu
system, including changes to the way access is dealt with, which if not properly
understood by developers can lead to vulnerabilities. This security release
provides a more secure access behaviour by default, and fixes incorrectly set
menu items in Drupal core.

Access to some pages was not appropriately controlled:

  * Any user can edit profile pages of other users.

  * Users who can view administration pages are able to edit content types.

  * The tracker and blog pages expose information to users without the "access
content" permission.

- ------------VERSIONS AFFECTED------------

  * Drupal 6.x before version 6.2.

- ------------SOLUTION------------

Install the latest version:

  * If you are running Drupal 6.x then upgrade to Drupal 6.2 [
http://ftp.drupal.org/files/projects/drupal-6.2.tar.gz ].

If you are unable to upgrade immediately, you can apply a patch to secure your
installation until you are able to do a proper upgrade. The patch fixes
incorrectly set menu items in Drupal core, but does not contain the menu API
change which would provide secure defaults. This patch is a temporary solution
to be used if modules are required which are still incompatible with the new API

  * To patch Drupal 6.1 use SA-2008-026-6.1.patch [
http://drupal.org/files/sa-2008-026/SA-2008-026-6.1.patch ].


It is essential to follow this process when updating:

  * First make sure that you are logged in as user number 1 or that your site's
settings.php has $update_free_access = TRUE; so that anyone can access the
update.php script while you update the site. We suggest you log in as user 1
because you might have difficulties in gaining write access to your settings

  * Turn your site into offline mode.

  * Then, and only then replace your Drupal source code files with the new ones
from Drupal 6.2.

  * Run update.php.

  * Turn your site back to online mode.

  * If you edited your site's settings.php, make sure to set
$update_free_access = FALSE;

If you do not follow the above procedure, and just replace the source files,
any attempt to access the site will be greeted with the message: "Fatal error:
Call to undefined function user_uid_optional_to_arg() in includes/menu.inc on
line 594" and you will have no way to set the site to offline mode on the web
interface until you get through update.php.

Contributed modules may require an update to work properly with Drupal 6.2.
Failing to update modules will lead to some pages of the affected modules not
being accessible. 

- ------------NOTE FOR MODULE DEVELOPERS------------

Drupal 6.2 contains two API changes.

  * Menu access callbacks are no longer inherited from parent items.

  * %user_current has been renamed to %user_uid_optional.

Additional information can be found in Updating your 6.x module to work with
6.2 [ http://drupal.org/node/244569 ].

- ------------REPORTED BY------------

  * The tracker and profile access issue were respectively reported by Peter
Wolanin and Greg Knaddison of the Drupal security team.

- ------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.

Comment: http://www.auscert.org.au/render.html?it=1967