By jwuk on
On the front page I see an announcement "Drupal 6.11 and 5.17 released". These include fixes for security vulnerabilities.
I know that such vulnerabilities may not necessarily apply to my site, for example if they depend on the presence of certain modules, or if they protect against authorised users gaining additional permissions. So of course I want to read the details to find out whether I need to go through the effort of updating my site.
I must be having a bad day. Where is the link to this info?
Comments
=-=
read the entire release node by clicking on the title on the front page. There you will find a securitiy advisory link.
Thanks. The 'read more'
Thanks. The 'read more' isn't very obvious, is it? I wonder how many other people stumble in this way.
=-=
Seems obvious enough to me. Though I guess I am used to the idea that on any drupal install the title can be clicked on to reveal the entire node rather than the teaser when on the front page.
Yeah, well perhaps it'll be
Yeah, well perhaps it'll be picked up with all the D7 usability studies going on. If it were aok would there be any need for http://drupal.org/project/ed_readmore ?
But thanks for setting me on the right path.
=-=
no idea, I don't use that module.
Still Unclear...
Sorry to be so thick, but I read the release notes and I'm still not sure if I need the patch or not.
When it says there's a vulnerability if "if site visitors are allowed to post content," what exactly does that mean? I know things like Stories and Blog Entries are content, but what about other things? Are comments submitted via comment forms "content"? Are messages sent via the site-wide contact form "content"? And if some malicious user *did* somehow manage to execute malicious code, would they have to post content to do so---in other words, wouldn't that sort of thing show up on the 'Track' tab of their member profile?
I'm seeing a lot of posts here from people who've had problems with their sites after doing the upgrade, so I don't want to do it if I don't have to.
=-=
user submitted content is anything that a user submits, including comments. my reading of the release thread is that if some maliciously formed content makes it to the front page, that is where the exploit can be problematic.
I've updated 6 sites from 6.10 - 6.11 without issue. That said, best practice would be to do a dry run. Export your database to a test site and do the upgrade on the test site.
What about the HTTP header?
Thanks, VeryMis. But isn't the front page vulnerability just the second half of the notice? What about the part that says:
"Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This behaviour enables malicious users to insert and execute Javascript in the context of the website if site visitors are allowed to post content. "
Since there's an HTTP header on every page, I'd think this vulnerability exists on every page of the site. However, since the only content types my users can submit are comments (anonymous visitors and above), blog entries (authenticated members and above) and stories (privileged users - contributors), and all of those content types are stored in the database---not as individual, complete pages---I don't see how any users could possibly get access to alter the HTTP header on any page. It seems to me that the only people who could do that are people who have FTP access or control panel access, and only the site admin has those rights.
Anybody Know?
*bump* -
Does anybody know if I'm right in thinking that so long as no one but the site admin is capable of posting entire web pages (as opposed to blog entries, stories, comments, etc. within the Drupal interface) to my Drupal 6.10 site, I don't need to worry about the HTTP header vulnerability in 6.10? I mean, assuming the site admin isn't doing anything fishy?