Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                                Drupal core
                               10 July 2009


        AusCERT Security Bulletin Summary

Product:           Drupal core
Publisher:         Drupal
Operating System:  UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Cross-site Scripting   -- Remote with User Interaction
                   Unauthorised Access    -- Existing Account            
                   Access Privileged Data -- Remote/Unauthenticated      
Resolution:        Upgrade
CVE Names:         CVE-2009-2372 CVE-2009-2373 CVE-2009-2374

Original Bulletin: 

Revision History:  July 10 2009: Updated CVE References
                   July  2 2009: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

  * Advisory ID: DRUPAL-SA-CORE-2009-007
  * Project: Drupal core
  * Version: 5.x, 6.x
  * Date: 2009-July-1
  * Security risk: Moderately critical
  * Exploitable from: Remote
  * Vulnerability: Multiple vulnerabilities

- -------- DESCRIPTION--------------------------------------------------------

Multiple vulnerabilities and weaknesses were discovered in Drupal.

.... Cross-site scripting

The Forum module does not correctly handle certain arguments obtained from
the URL. By enticing a suitably privileged user to visit a specially crafted
URL, a malicious user is able to insert arbitrary HTML and script code into
forum pages. Such a cross-site scripting attack may lead to the malicious
user gaining administrative access. Wikipedia has more information about
cross-site scripting [1] (XSS). This issue affects Drupal 6.x only.

.... Input format access bypass

User signatures have no separate input format, they use the format of the
comment with which they are displayed. A user will no longer be able to edit
a comment when an administrator changes the comment's input format to a
format that is not accessible to the user. However they will still be able to
modify their signature, which will then be processed by the new input format.
If the new format is very permissive, via their signature, the user may be
able to insert arbitrary HTML and script code into pages or, when the PHP
filter is enabled for the new format, execute PHP code. This issue affects
Drupal 6.x only.

.... Password leaked in URL

When an anonymous user fails to login due to mistyping his username or
password, and the page he is on contains a sortable table, the (incorrect)
username and password are included in links on the table. If the user visits
these links the password may then be leaked to external sites via the HTTP
referer. In addition, if the anonymous user is enticed to visit the site via
a specially crafted URL while the Drupal page cache is enabled, a malicious
user might be able to retrieve the (incorrect) username and password from the
page cache. This issue affects both Drupal 5.x and Drupal 6.x

- -------- VERSIONS AFFECTED--------------------------------------------------

  * Drupal 5.x before version 5.19.
  * Drupal 6.x before version 6.13.

- -------- SOLUTION------------------------------------------------------------

Install the latest version:
  * If you are running Drupal 6.x then upgrade to Drupal 6.13 [2].
  * If you are running Drupal 5.x then upgrade to Drupal 5.19 [3].

If you are unable to upgrade immediately, you can apply a patch to secure
your installation until you are able to do a proper upgrade. Theses patches
fix the security vulnerability, but do not contain other fixes which were
released in Drupal 5.19 or Drupal 6.13.
  * To patch Drupal 6.12 use SA-CORE-2009-007-6.12.patch [4].
  * To patch Drupal 5.18 use SA-CORE-2009-007-5.18.patch [5].

- -------- REPORTED BY---------------------------------------------------------

The forum XSS issue was independently reported by Mark Piper of Catalyst IT
Ltd, Sven Herrmann and Brandon Knight. The user signature issue was reported
by Gerhard Killesreiter [6] of the Drupal security team. The password in URL
issue was reported by Sumit Datta [7].

- -------- FIXED BY-----------------------------------------------------------

The forum XSS issue was fixed by Heine Deelstra [8], Peter Wolanin [9] and
Charlie Gordon [10]. The user signature issue was fixed by David Rothstein
[11], Charlie Gordon [12], Heine Deelstra [13] and Gábor Hojtsy [14]. The
password in URL issue was fixed by Damien Tournoud [15] and Bart Jansens

- -------- CONTACT-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://ftp.drupal.org/files/projects/drupal-6.13.tar.gz
[3] http://ftp.drupal.org/files/projects/drupal-5.19.tar.gz
[4] http://drupal.org/files/sa-core-2009-007/SA-CORE-2009-007-6.12.patch
[5] http://drupal.org/files/sa-core-2009-007/SA-CORE-2009-007-5.18.patch
[6] http://drupal.org/user/227
[7] http://drupal.org/user/59022
[8] http://drupal.org/user/17943
[9] http://drupal.org/user/49851
[10] http://drupal.org/user/157412
[11] http://drupal.org/user/124982
[12] http://drupal.org/user/157412
[13] http://drupal.org/user/17943
[14] http://drupal.org/user/4166
[15] http://drupal.org/user/22211
[16] http://drupal.org/user/5330

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967