Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.1001.2
Multiple vulnerabilities have been fixed in Drupal core
12 November 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Drupal
Publisher: Drupal
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2012-4554 CVE-2012-4553
Original Bulletin:
http://drupal.org/node/1815912
Revision History: November 12 2012: Added CVEs
October 18 2012: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
* Advisory ID: DRUPAL-SA-CORE-2012-003
* Project: Drupal core [1]
* Version: 7.x
* Date: 2012-October-17
* Security risk: Highly critical [2]
* Exploitable from: Remote
* Vulnerability: Information Disclosure, Arbitrary PHP code execution
- -------- DESCRIPTION ---------------------------------------------------------
Multiple vulnerabilities were discovered in Drupal core.
.... Arbitrary PHP code execution
A bug in the installer code was identified that allows an attacker to
re-install Drupal using an external database server under certain transient
conditions. This could allow the attacker to execute arbitrary PHP code on
the original server.
This vulnerability is mitigated by the fact that the re-installation can only
be successful if the site's settings.php file or sites directories are
writeable by or owned by the webserver user. Configuring the Drupal
installation to be owned by a different user than the webserver user (and not
to be writeable by the webserver user) is a recommended security best
practice [3]. However, in all cases the transient conditions expose
information to an attacker who accesses install.php, and therefore this
security update should be applied to all Drupal 7 sites.
.... Information disclosure - OpenID module
For sites using the core OpenID module, an information disclosure
vulnerability was identified that allows an attacker to read files on the
local filesystem by attempting to log in to the site using a malicious OpenID
server.
CVE: Requested
- -------- VERSIONS AFFECTED ---------------------------------------------------
* Drupal core 7.x versions prior to 7.16.
Drupal 6 is not affected.
- -------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use Drupal 7.x, upgrade to Drupal core 7.16 [4].
If you are unable to deploy the security release immediately, removing or
blocking access to install.php is a sufficient mitigation step for the
arbitrary PHP code execution vulnerability.
Also see the Drupal core [5] project page.
- -------- REPORTED BY ---------------------------------------------------------
* The arbitrary PHP code execution vulnerability was reported by Heine
Deelstra [6] and Noam Rathaus [7] working with Beyond Security's
SecuriTeam Secure Disclosure Program. Heine Deelstra is also a member of
the Drupal Security Team.
* The information disclosure vulnerability in the OpenID module was reported
by Reginaldo Silva [8].
- -------- FIXED BY ------------------------------------------------------------
* The arbitrary PHP code execution vulnerability was fixed by Damien
Tournoud [9], David Rothstein [10], Peter Wolanin [11], and Karoly
Negyesi [12], all members of the Drupal Security Team.
* The information disclosure vulnerability in the OpenID module was fixed by
Reginaldo Silva [13], Christian Schmidt [14], Vojtech Kusy [15], and
Frederic Marand [16], and by Peter Wolanin [17], David Rothstein [18],
Damien Tournoud [19], and Heine Deelstra [20] of the Drupal Security Team.
- -------- CONTACT AND MORE INFORMATION ----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [21].
Learn more about the Drupal Security team and their policies [22], writing
secure code for Drupal [23], and securing your site [24].
[1] http://drupal.org/project/drupal
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/node/244924
[4] http://drupal.org/node/1815904
[5] http://drupal.org/project/drupal
[6] http://drupal.org/user/17943
[7] http://drupal.org/user/2317662
[8] http://drupal.org/user/2305626
[9] http://drupal.org/user/22211
[10] http://drupal.org/user/124982
[11] http://drupal.org/user/49851
[12] http://drupal.org/user/9446
[13] http://drupal.org/user/2305626
[14] http://drupal.org/user/216078
[15] http://drupal.org/user/56154
[16] http://drupal.org/user/27985
[17] http://drupal.org/user/49851
[18] http://drupal.org/user/124982
[19] http://drupal.org/user/22211
[20] http://drupal.org/user/17943
[21] http://drupal.org/contact
[22] http://drupal.org/security-team
[23] http://drupal.org/writing-secure-code
[24] http://drupal.org/security/secure-configuration
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUKBuTu4yVqjM2NGpAQJQihAAiYFfFZzzbWIKHYzjWFrpIB69oEMBqnLw
QIxXAhmxphZn2e+vMrHp+Oy4aa+aqGbNwrTccHkGMEjg+fd105jw8G8voupd+wu/
mBI3oInSuMaZkvMxNGc845t/eOX/mSRH7y4iX4HE0YfjC1TrE9+WukWG8wjduFWA
iGM4/ShIK3rSJKFCqAtcCyDBZ1KvVxJ626P9t7QgYaqB+CCTqIEydBqAAl0Wna6f
nLfGjeRBpcbSW5/tmgwG+TjtMtq5KQ4qD9FPabw15xge+Bef6i1Vv3vvrTob7ZLF
TB+EZX0PaU8XRn0lv5xR8yovP+YJ13RgJNi0V4VA2s1BHJiidkMOm+qLZVl/06Pu
MAZqY5ZFIkpf0VMbMVUlRp0o3nxsPewsDmiBYULZ0je1rwqaR0FJzXVN5nZuVw40
C/VVwvW1vvbuz0Tv8PO2hFSo7gD8WBkkdEZeyGFqk+IO3XTkRp8io5VJm5/R86Kj
mPnK/eVl8lE0oMs4j1i3eMeEnVY0KcpsxC22KAj6OLp5IgrFIjRlCvZv7/AWk2r3
CqGxk+WQBVzd+94rzwHaMqz6WgMfydFzvb8OPKTnng5cItTL7v4WWyFsZAa6qVXW
2OSWhYIQFvFf5UnNCtZ/ZG6QsFOCJN3Ia1qRHN/MSNLfNPE1yDhVkkyxt/RE2W1m
jPEmGvA0NlQ=
=Mzbw
-----END PGP SIGNATURE-----