Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[DRUPAL-SA-2007-018] Drupal 4.7.7 and 5.2 fix multiple cross site script

from [Heine Deelstra] Network Security [Permanent Link]
Subject: [DRUPAL-SA-2007-018] Drupal 4.7.7 and 5.2 fix multiple cross site scripting vulnerabilities
Date: Sun, 29 Jul 2007 23:49:50 +0200 
----------------------------------------------------------------------------
Drupal security advisory                                  DRUPAL-SA-2007-018
----------------------------------------------------------------------------
Project:          Drupal core
Version:          4.7.x, 5.x
Date:             2007-July-26
Security risk:    Moderately critical
Exploitable from: Remote
Vulnerability:    Multiple cross site scripting vulnerabilities
----------------------------------------------------------------------------

Description
-----------
Some server variables are not escaped consistently. When a malicious user is
able to entice a victim to visit a specially crafted link or webpage, arbitrary
HTML and script code can be injected and executed in the context of the
victim's session on the targeted website.

Custom content type names are not escaped consistently. A malicious user with
the 'administer content types' permission would be able to inject and execute
arbitrary HTML and script code on the website.
Revoking the 'administer content types' permission provides an immediate
workaround.

Both vulnerabilities are know as cross site scripting.


Versions affected
-----------------
- Drupal 4.7.x versions before Drupal 4.7.7
- Drupal 5.x versions before Drupal 5.2


Solution
--------
- If you are running Drupal 4.7.x then upgrade to Drupal 4.7.7.
   http://ftp.drupal.org/pub/drupal/files/projects/drupal-4.7.7.tar.gz
- If you are running Drupal 5.x then upgrade to Drupal 5.2.
   http://ftp.drupal.org/pub/drupal/files/projects/drupal-5.2.tar.gz

If you are unable to upgrade immediately, you can apply a patch to secure your
installation until you are able to do a proper upgrade.

- To patch Drupal 4.7.6 use
    http://drupal.org/files/sa-2007-018/SA-2007-018-4.7.6.patch.
- To patch Drupal 5.1 use
    http://drupal.org/files/sa-2007-018/SA-2007-018-5.1.patch.

Please note that the patches only contain changes related to this advisory, and
do not fix bugs that were solved in 4.7.7 or 5.2.


Important note
--------------
The configuration file settings.php is one of the files containing vulnerable
code. It is therefore critical to replace all of your sites' settings.php files
 in subdirectories of sites with the new one from the archive. After you have
 replaced the files, make sure to edit the value of the $db_url variable to be
 identical to the value in your old settings.php. This is the information that
 determines how Drupal connects to a database.


Reported by
-----------
- The server variables issue was reported by David Caylor.
- Content type naming issues were reported by Karthik.


Thanks
------
The security team whishes to thank Dave, Morten Wulff, Brenda Wallace,
Fernando Silva, Gerhard Killesreiter, Brandon Bergren, Bart Janssen and
Neil Drumm for technical assistance.


Contact
-------
The security contact for Drupal can be reached at security at drupal.org or
using the form at http://drupal.org/contact.

Attachment: signature.asc
Description: OpenPGP digital signature

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [DRUPAL-SA-2007-018] Drupal 4.7.7 and 5.2 fix multiple cross site scripting vulnerabilities, Heine Deelstra <=
Previous by Date:  [Full-disclosure] FLEA-2007-0036-1 vim vim-minimal gvim, Foresight Linux Essential Announcement Service
Next by Date:  [DRUPAL-SA-2007-017] Drupal 5.2 fixes multiple CSRF vulnerabilities, Heine Deelstra
Previous by Thread:  [Full-disclosure] FLEA-2007-0036-1 vim vim-minimal gvim, Foresight Linux Essential Announcement Service
Next by Thread:  [DRUPAL-SA-2007-017] Drupal 5.2 fixes multiple CSRF vulnerabilities, Heine Deelstra
Indexes:  [Date] [Thread] [Top] [All Lists]