Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.1205 DRUPAL-SA-CORE-2012-004 20 December 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Drupal Publisher: Drupal Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Access Privileged Data -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Existing Account Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade Original Bulletin: http://drupal.org/SA-CORE-2012-004 - --------------------------BEGIN INCLUDED TEXT-------------------- * Advisory ID: DRUPAL-SA-CORE-2012-004 * Project: Drupal core [1] * Version: 6.x, 7.x * Date: 2012-December-19 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, Arbitrary PHP code execution - -------- DESCRIPTION --------------------------------------------------------- Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. .... Access bypass (User module search - Drupal 6 and 7) A vulnerability was identified that allows blocked users to appear in user search results, even when the search results are viewed by unprivileged users. This vulnerability is mitigated by the fact that the default Drupal core user search results only display usernames (and disclosure of usernames is not considered a security vulnerability [3]). However, since modules or themes may override the search results to display more information from each user's profile, this could result in additional information about blocked users being disclosed on some sites. CVE: Requested. .... Access bypass (Upload module - Drupal 6) A vulnerability was identified that allows information about uploaded files to be displayed in RSS feeds and search results to users that do not have the "view uploaded files" permission. This issue affects Drupal 6 only. CVE: Requested. .... Arbitrary PHP code execution (File upload modules - Drupal 6 and 7) Drupal core's file upload feature blocks the upload of many files that can be executed on the server by munging the filename. A malicious user could name a file in a manner that bypasses this munging of the filename in Drupal's input validation. This vulnerability is mitigated by several factors: The attacker would need the permission to upload a file to the server. Certain combinations of PHP and filesystems are not vulnerable to this issue, though we did not perform an exhaustive review of the supported PHP versions. Finally: the server would need to allow execution of files in the uploads directory. Drupal core has protected against this with a .htaccess file protection in place from SA-2006-006 - Drupal Core - Execution of arbitrary files in certain Apache configurations [4]. Users of IIS should consider updating their web.config [5]. Users of Nginx should confirm that only the index.php and other known good scripts are executable. Users of other webservers should review their configuration to ensure the goals are achieved in some other way. CVE: Requested. - -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [6] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ - -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal core 6.x versions prior to 6.27. * Drupal core 7.x versions prior to 7.18. - -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Drupal 6.x, upgrade to Drupal core 6.27 [7]. * If you use Drupal 7.x, upgrade to Drupal core 7.18 [8]. Also see the Drupal core [9] project page. - -------- REPORTED BY --------------------------------------------------------- * The access bypass issue in the User module search results was reported by Derek Wright [10] of the Drupal Security Team. * The access bypass issue in the Drupal 6 Upload module was reported by Simon Rycroft [11], and by Damien Tournoud [12] of the Drupal Security Team. * The arbitrary code execution issue was reported by Amit Asaravala [13]. - -------- FIXED BY ------------------------------------------------------------ * The access bypass issue in the User module search results was fixed by Derek Wright [14], Ivo Van Geertruyen [15], Peter Wolanin [16], and David Rothstein [17], all members of the Drupal Security Team. * The access bypass issue in the Drupal 6 Upload module was fixed by Michaël Dupont [18], and by Fox [19] and David Rothstein [20] of the Drupal Security Team. * The arbitrary code execution issue was fixed by Nathan Haug [21] and Justin Klein-Keane [22], and by John Morahan [23] and Greg Knaddison [24] of the Drupal Security team. - -------- COORDINATED BY ------------------------------------------------------ * Jeremy Thorson [25] QA/Testing infrastructure * Ben Jeavons [26] of the Drupal Security Team * David Rothstein [27] of the Drupal Security Team * Gábor Hojtsy [28] of the Drupal Security Team * Greg Knaddison [29] of the Drupal Security Team * Fox [30] of the Drupal Security Team - -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [31]. Learn more about the Drupal Security team and their policies [32], writing secure code for Drupal [33], and securing your site [34]. [1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/node/1004778 [4] http://drupal.org/node/65409 [5] http://drupal.org/node/1543392 [6] http://cve.mitre.org/ [7] http://drupal.org/drupal-6.27-release-notes [8] http://drupal.org/drupal-7.18-release-notes [9] http://drupal.org/project/drupal [10] http://drupal.org/user/46549 [11] http://drupal.org/user/151544 [12] http://drupal.org/user/22211 [13] http://drupal.org/user/181407 [14] http://drupal.org/user/46549 [15] http://drupal.org/user/383424 [16] http://drupal.org/user/49851 [17] http://drupal.org/user/124982 [18] http://drupal.org/user/400288 [19] http://drupal.org/user/426416 [20] http://drupal.org/user/124982 [21] http://drupal.org/user/35821 [22] http://drupal.org/user/302225 [23] http://drupal.org/user/58170 [24] http://drupal.org/user/36762 [25] http://drupal.org/user/148199 [26] http://drupal.org/user/91990 [27] http://drupal.org/user/124982 [28] http://drupal.org/user/4166 [29] http://drupal.org/user/36762 [30] http://drupal.org/user/426416 [31] http://drupal.org/contact [32] http://drupal.org/security-team [33] http://drupal.org/writing-secure-code [34] http://drupal.org/security/secure-configuration - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUNJ08e4yVqjM2NGpAQL+sw//SBUMyLVuCbtQ5CSZx6q0PHKR9kfcRM/7 NxoBfSFGG9NO3y1UPlnqFMjyeCXtB7+jkJUtkDe7bMy/1BzEq6ucCIxkEOkmg0u1 s6h/bP5S7Kfkk1newaUhXbWb+qQUIRguvv0K3s4vfv2YeoBlyHBqPdsi2kpzTkcr tL08DfPrhPfda8B4FQTiGdmZYWEfvewEoi1A1fhI/89d3WxIO3q0JdCc17JUdZW6 YYLei3wbS3IjpSxQQ/k/mMzTXFrH1lf9SXwWj9xvD7/6Yp6TsmAIw/5ODjtGDh8O ai1UFlBD/n9AQuNHI8oH5sjjBcO5BT7OKJw3poJqaHYXYLW28tdB3LOxJO7qGEqu 9MJVHShCO3dY88UgjDI7Vlqzh1X7G1aUmYuwF7amrzFNHSHc68WbJSUdCNLtb0FC riFgBQYOgh+GaucI57pWBWMlm8Sd208NSmSyffQO0Q9EnOmPm3BsvnIq7+U62+wX uxNuFd9slwfMfeMfMEQbN5CVpjfFGiyRWi0bdT6iVqHrzvsMjx3KBYR8ZQLFz+1u G5G0VUasX7EDZs4GQ9dg2Ctv0EtDoH0BQ4rj0MZsZDprqAzXasDePqL+SoApy51/ nO19mWmv+Z8dGR9Xaf6+Zov0H6/OZVPShIAvYv8ZnmpdHVVvWK4oTeRUco89rX9B lwoApLeAeEw= =lHuX -----END PGP SIGNATURE-----