----------------------------------------------------------------------------
Drupal security advisory DRUPAL-SA-2007-018
----------------------------------------------------------------------------
Project: Drupal core
Version: 4.7.x, 5.x
Date: 2007-July-26
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Multiple cross site scripting vulnerabilities
----------------------------------------------------------------------------

Description
-----------
Some server variables are not escaped consistently. When a malicious user is
able to entice a victim to visit a specially crafted link or webpage, arbitrary
HTML and script code can be injected and executed in the context of the
victim's session on the targeted website.

Custom content type names are not escaped consistently. A malicious user with
the 'administer content types' permission would be able to inject and execute
arbitrary HTML and script code on the website.
Revoking the 'administer content types' permission provides an immediate
workaround.

Both vulnerabilities are know as cross site scripting [1].

Versions affected
-----------------
- Drupal 4.7.x versions before Drupal 4.7.7
- Drupal 5.x versions before Drupal 5.2

Solution
--------
- If you are running Drupal 4.7.x then upgrade to Drupal 4.7.7.
http://ftp.drupal.org/pub/drupal/files/projects/drupal-4.7.7.tar.gz
- If you are running Drupal 5.x then upgrade to Drupal 5.2.
http://ftp.drupal.org/pub/drupal/files/projects/drupal-5.2.tar.gz

If you are unable to upgrade immediately, you can apply a patch to secure your
installation until you are able to do a proper upgrade.

- To patch Drupal 4.7.6 use
http://drupal.org/files/sa-2007-018/SA-2007-018-4.7.6.patch.
- To patch Drupal 5.1 use
http://drupal.org/files/sa-2007-018/SA-2007-018-5.1.patch.

Please note that the patches only contain changes related to this advisory, and
do not fix bugs that were solved in 4.7.7 or 5.2.

Important note
--------------
The configuration file settings.php is one of the files containing vulnerable
code. It is therefore critical to replace all of your sites' settings.php files
in subdirectories of sites with the new one from the archive. After you have
replaced the files, make sure to edit the value of the $db_url variable to be
identical to the value in your old settings.php. This is the information that
determines how Drupal connects to a database.

Reported by
-----------
- The PHP_SELF issue was reported by David Caylor.
- Content type naming issues were reported by Karthik.

Thanks
------
The security team whishes to thank Dave, Morten Wulff, Brenda Wallace,
Fernando Silva, Gerhard Killesreiter, Brandon Bergren, Bart Janssen and
Neil Drumm for technical assistance.

Contact
-------
The security contact for Drupal can be reached at security at drupal.org or
using the form at http://drupal.org/contact.

References
----------
[1] http://en.wikipedia.org/wiki/Xss

  1. first4you 2007.07.27 13:36

    5.x 버전대에선 두가지 문제가 동시에 발생했군요. drupal을 사용한다면 바로 업그레이드 하시는것이 좋겠습니다.

    ----------------------------------------------------------------------------
    Drupal security advisory DRUPAL-SA-2007-017
    ----------------------------------------------------------------------------
    Project: Drupal core
    Version: 5.x
    Date: 2007-July-26
    Security risk: Moderately critical
    Exploitable from: Remote
    Vulnerability: Multiple cross site request forgeries
    ----------------------------------------------------------------------------

    Description
    -----------
    Several parts in Drupal core are not protected against cross site request
    forgeries [1] due to inproper use of the Forms API, or by taking action solely
    on GET requests. Malicious users are able to delete comments and content
    revisions and disable menu items by enticing a privileged users to visit
    certain URLs while the victim is logged-in to the targeted site.


    Versions affected
    -----------------
    - Drupal 5.x versions before Drupal 5.2


    Solution
    --------
    - If you are running Drupal 5.x then upgrade to Drupal 5.2.
    http://ftp.drupal.org/files/projects/drupal-5.2.tar.gz

    Drupal 4.7.x is not affected.

    If you are unable to upgrade immediately, you can apply a patch to secure your
    installation until you are able to do a proper upgrade.

    - To patch Drupal 5.1 use
    http://drupal.org/files/sa-2007-017/SA-2007-017-5.1.patch.

    Please note that the patches only contain changes related to this advisory, and
    do not fix bugs that were solved in 5.1.


    Reported by
    -----------
    Konstantin K�fer reported the menu issue.
    The Drupal security team.


    Contact
    -------
    The security contact for Drupal can be reached at security at drupal.org or
    using the form at http://drupal.org/contact.


    References
    ----------
    [1] http://en.wikipedia.org/wiki/Cross-site_request_forgery

+ Recent posts