Hosting Provided By

[DRUPAL-SA-2007-018] Drupal 4.7.7 and 5.2 fix multiple cross site scripting vulnerabilities

From: Heine Deelstra <hdeelstra(at)gmail.com>
Date: Sun Jul 29 2007 - 17:49:50 EDT

Drupal security advisory                                  DRUPAL-SA-2007-018
----------------------------------------------------------------------------
Project:          Drupal core
Version:          4.7.x, 5.x
Date:             2007-July-26

Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Multiple cross site scripting vulnerabilities

Description

Some server variables are not escaped consistently. When a malicious user is able to entice a victim to visit a specially crafted link or webpage, arbitrary HTML and script code can be injected and executed in the context of the victim's session on the targeted website.

Custom content type names are not escaped consistently. A malicious user with the 'administer content types' permission would be able to inject and execute arbitrary HTML and script code on the website. Revoking the 'administer content types' permission provides an immediate workaround.

Both vulnerabilities are know as cross site scripting.

Versions affected

Drupal 4.7.x versions before Drupal 4.7.7
Drupal 5.x versions before Drupal 5.2

Solution

If you are running Drupal 4.7.x then upgrade to Drupal 4.7.7. http://ftp.drupal.org/pub/drupal/files/projects/drupal-4.7.7.tar.gz
If you are running Drupal 5.x then upgrade to Drupal 5.2. http://ftp.drupal.org/pub/drupal/files/projects/drupal-5.2.tar.gz

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

To patch Drupal 4.7.6 use http://drupal.org/files/sa-2007-018/SA-2007-018-4.7.6.patch.
To patch Drupal 5.1 use http://drupal.org/files/sa-2007-018/SA-2007-018-5.1.patch.

Please note that the patches only contain changes related to this advisory, and do not fix bugs that were solved in 4.7.7 or 5.2.

Do you need help?

Important note

The configuration file settings.php is one of the files containing vulnerable code. It is therefore critical to replace all of your sites' settings.php files in subdirectories of sites with the new one from the archive. After you have replaced the files, make sure to edit the value of the $db_url variable to be identical to the value in your old settings.php. This is the information that determines how Drupal connects to a database.

Reported by

The server variables issue was reported by David Caylor.
Content type naming issues were reported by Karthik.

Thanks

The security team whishes to thank Dave, Morten Wulff, Brenda Wallace, Fernando Silva, Gerhard Killesreiter, Brandon Bergren, Bart Janssen and Neil Drumm for technical assistance.

Contact

The security contact for Drupal can be reached at security at drupal.org or using the form at http://drupal.org/contact.

application/pgp-signature attachment: OpenPGP digital signature

Received on Mon Jul 30 13:58:23 2007

This message: [ Message body ]
Next message: Heine Deelstra: "[DRUPAL-SA-2007-017] Drupal 5.2 fixes multiple CSRF vulnerabilities"
Previous message: Foresight Linux Essential Announcement Service: "FLEA-2007-0036-1 vim vim-minimal gvim"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Sun Oct 28 2007 - 06:10:28 EDT