Security advisories

SA-CORE-2013-002 - Drupal core - Denial of service

Drupal Security Team — Wed, 20 Feb 2013 20:50:06 +0000

Advisory ID: DRUPAL-SA-CORE-2013-002
Project: Drupal core
Version: 7.x
Date: 2013-February-20
Security risk: Critical
Exploitable from: Remote
Vulnerability: Denial of service

Description

Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load. Either of these effects may lead to the site becoming unavailable or unresponsive.

Please see the Drupal 7.20 release notes for important notes about the changes which were made to fix this issue, since some sites will require extra testing and care when deploying this Drupal core release.

CVE identifier(s) issued

CVE-2013-0316

Versions affected

Drupal core 7.x versions prior to 7.20.

Solution

Install the latest version:

If you use Drupal 7.x, upgrade to Drupal core 7.20.

Also see the Drupal core project page.

Reported by

Fixed by

Damien Tournoud of the Drupal Security Team
Peter Wolanin of the Drupal Security Team
David Rothstein of the Drupal Security Team
Heine Deelstra of the Drupal Security Team
Bèr Kessels

Coordinated by

David Rothstein of the Drupal Security Team
Stéphane Corlosquet of the Drupal Security Team
Peter Wolanin of the Drupal Security Team
Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

SA-CORE-2013-001 - Drupal core - Multiple vulnerabilities

Drupal Security Team — Wed, 16 Jan 2013 22:07:10 +0000

Advisory ID: DRUPAL-SA-CORE-2013-001
Project: Drupal core
Version: 6.x, 7.x
Date: 2013-January-16
Security risk: Highly critical
Exploitable from: Remote
Vulnerability: Cross Site Scripting, Access bypass

Description

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

Cross-site scripting (Various core and contributed modules - Drupal 6 and 7)

A reflected cross-site scripting vulnerability (XSS) was identified in certain Drupal JavaScript functions that pass unexpected user input into jQuery causing it to insert HTML into the page when the intended behavior is to select DOM elements. Multiple core and contributed modules are affected by this issue.

jQuery versions 1.6.3 and higher provide protection against common forms of this problem; thus, the vulnerability is mitigated if your site has upgraded to a recent version of jQuery. However, the versions of jQuery that are shipped with Drupal 6 and Drupal 7 core do not contain this protection.

Although the fix added to Drupal as part of this security release prevents the most common forms of this issue in the same way as newer versions of jQuery do, developers should be aware that passing untrusted user input directly to jQuery functions such as jQuery() and $() is unsafe and should be avoided.

CVE: CVE-2013-0244 (a CVE was also separately issued for jQuery)

Access bypass (Book module printer friendly version - Drupal 6 and 7)

A vulnerability was identified that exposes the title or, in some cases, the content of nodes that the user should not have access to.

This vulnerability is mitigated by the fact that the bypass is only accessible to users who already have the 'access printer-friendly version' permission (which is not granted to Anonymous or Authenticated users by default) and it only affects nodes that are part of a book outline.

CVE: CVE-2013-0245

Access bypass (Image module - Drupal 7)

Drupal core provides the ability to have private files, including images. A vulnerability was identified in which derivative images (which Drupal automatically creates from these images based on "image styles" and which may differ, for example, in size or saturation) did not always receive the same protection. Under some circumstances, this would allow users to access image derivatives for images they should not be able to view.

This vulnerability is mitigated by the fact that it only affects sites which use the Image module and which store images in a private file system.

CVE: CVE-2013-0246

CVE identifier(s) issued

CVE-2013-0244
CVE-2013-0245
CVE-2013-0246

Versions affected

Drupal core 6.x versions prior to 6.28.
Drupal core 7.x versions prior to 7.19.

Solution

Install the latest version:

If you use Drupal 6.x, upgrade to Drupal core 6.28.
If you use Drupal 7.x, upgrade to Drupal core 7.19.

Also see the Drupal core project page.

Reported by

The cross-site scripting issue in various Drupal core and contributed modules was reported by t.ashula, and by David Rothstein of the Drupal Security Team.
The access bypass issue in the Book module was reported by Mark Lindsey.
The access bypass issue in the Drupal 7 Image module was reported by Kressin Roger, Christian Johansson, Anders Olsson and saschadrupal.

Fixed by

The cross-site scripting issue in various Drupal core and contributed modules was fixed by t.ashula, Théodore Biadala, Katherine Bailey, Steve De Jonghe and J. Renée Beach, and by Dylan Tack, Greg Knaddison, David Rothstein and Damien Tournoud of the Drupal Security Team.
The access bypass issue in the Book module was fixed by Mark Lindsey, and by Fox, David Rothstein and Peter Wolanin of the Drupal Security Team.
The access bypass issue in the Drupal 7 Image module was fixed by Heine Deelstra of the Drupal Security Team, and by Anders Olsson.

Coordinated by

David Rothstein, Gábor Hojtsy, Stéphane Corlosquet, Greg Knaddison, Heine Deelstra and Peter Wolanin of the Drupal Security Team
Jeremy Thorson of the QA/Testing Infrastructure Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

SA-CORE-2012-004 - Drupal core - Multiple vulnerabilities

Drupal Security Team — Wed, 19 Dec 2012 18:46:26 +0000

Advisory ID: DRUPAL-SA-CORE-2012-004
Project: Drupal core
Version: 6.x, 7.x
Date: 2012-December-19
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Access bypass, Arbitrary PHP code execution

Description

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

Access bypass (User module search - Drupal 6 and 7)

A vulnerability was identified that allows blocked users to appear in user search results, even when the search results are viewed by unprivileged users.

This vulnerability is mitigated by the fact that the default Drupal core user search results only display usernames (and disclosure of usernames is not considered a security vulnerability). However, since modules or themes may override the search results to display more information from each user's profile, this could result in additional information about blocked users being disclosed on some sites.

Access bypass (Upload module - Drupal 6)

A vulnerability was identified that allows information about uploaded files to be displayed in RSS feeds and search results to users that do not have the "view uploaded files" permission.

This issue affects Drupal 6 only.

Arbitrary PHP code execution (File upload modules - Drupal 6 and 7)

Drupal core's file upload feature blocks the upload of many files that can be executed on the server by munging the filename. A malicious user could name a file in a manner that bypasses this munging of the filename in Drupal's input validation.

This vulnerability is mitigated by several factors: The attacker would need the permission to upload a file to the server. Certain combinations of PHP and filesystems are not vulnerable to this issue, though we did not perform an exhaustive review of the supported PHP versions. Finally: the server would need to allow execution of files in the uploads directory. Drupal core has protected against this with a .htaccess file protection in place from SA-2006-006 - Drupal Core - Execution of arbitrary files in certain Apache configurations. Users of IIS should consider updating their web.config. Users of Nginx should confirm that only the index.php and other known good scripts are executable. Users of other webservers should review their configuration to ensure the goals are achieved in some other way.

CVE identifier(s) issued

Access bypass (User module search - Drupal 6 and 7): CVE-2012-5651
Access bypass (Upload module - Drupal 6): CVE-2012-5652
Arbitrary PHP code execution (File upload modules - Drupal 6 and 7): CVE-2012-5653

Versions affected

Drupal core 6.x versions prior to 6.27.
Drupal core 7.x versions prior to 7.18.

Solution

Install the latest version:

If you use Drupal 6.x, upgrade to Drupal core 6.27.
If you use Drupal 7.x, upgrade to Drupal core 7.18.

Also see the Drupal core project page.

Reported by

The access bypass issue in the User module search results was reported by Derek Wright of the Drupal Security Team.
The access bypass issue in the Drupal 6 Upload module was reported by Simon Rycroft, and by Damien Tournoud of the Drupal Security Team.
The arbitrary code execution issue was reported by Amit Asaravala.

Fixed by

The access bypass issue in the User module search results was fixed by Derek Wright, Ivo Van Geertruyen, Peter Wolanin, and David Rothstein, all members of the Drupal Security Team.
The access bypass issue in the Drupal 6 Upload module was fixed by Michaël Dupont, and by Fox and David Rothstein of the Drupal Security Team.
The arbitrary code execution issue was fixed by Nathan Haug and Justin Klein-Keane, and by John Morahan and Greg Knaddison of the Drupal Security team.

Coordinated by

Jeremy Thorson QA/Testing infrastructure
Ben Jeavons of the Drupal Security Team
David Rothstein of the Drupal Security Team
Gábor Hojtsy of the Drupal Security Team
Greg Knaddison of the Drupal Security Team
Fox of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

SA-CORE-2012-003 - Drupal core - Arbitrary PHP code execution and Information disclosure

Drupal Security Team — Wed, 17 Oct 2012 21:29:30 +0000

Advisory ID: DRUPAL-SA-CORE-2012-003
Project: Drupal core
Version: 7.x
Date: 2012-October-17
Security risk: Highly critical
Exploitable from: Remote
Vulnerability: Information Disclosure, Arbitrary PHP code execution

Description

Multiple vulnerabilities were discovered in Drupal core.

Arbitrary PHP code execution

A bug in the installer code was identified that allows an attacker to re-install Drupal using an external database server under certain transient conditions. This could allow the attacker to execute arbitrary PHP code on the original server.

This vulnerability is mitigated by the fact that the re-installation can only be successful if the site's settings.php file or sites directories are writeable by or owned by the webserver user. Configuring the Drupal installation to be owned by a different user than the webserver user (and not to be writeable by the webserver user) is a recommended security best practice. However, in all cases the transient conditions expose information to an attacker who accesses install.php, and therefore this security update should be applied to all Drupal 7 sites.

CVE: CVE-2012-4553

Information disclosure - OpenID module

For sites using the core OpenID module, an information disclosure vulnerability was identified that allows an attacker to read files on the local filesystem by attempting to log in to the site using a malicious OpenID server.

CVE: CVE-2012-4554

Versions affected

Drupal core 7.x versions prior to 7.16.

Drupal 6 is not affected.

Solution

Install the latest version:

If you use Drupal 7.x, upgrade to Drupal core 7.16.

If you are unable to deploy the security release immediately, removing or blocking access to install.php is a sufficient mitigation step for the arbitrary PHP code execution vulnerability.

Also see the Drupal core project page.

Reported by

The arbitrary PHP code execution vulnerability was reported by Heine Deelstra and Noam Rathaus working with Beyond Security's SecuriTeam Secure Disclosure Program. Heine Deelstra is also a member of the Drupal Security Team.
The information disclosure vulnerability in the OpenID module was reported by Reginaldo Silva.

Fixed by

The arbitrary PHP code execution vulnerability was fixed by Damien Tournoud, David Rothstein, Peter Wolanin, and Károly Négyesi, all members of the Drupal Security Team.
The information disclosure vulnerability in the OpenID module was fixed by Reginaldo Silva, Christian Schmidt, Vojtěch Kusý, and Frédéric Marand, and by Peter Wolanin, David Rothstein, Damien Tournoud, and Heine Deelstra of the Drupal Security Team.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

SA-CORE-2012-002 - Drupal core multiple vulnerabilities

Drupal Security Team — Wed, 02 May 2012 15:17:48 +0000

Advisory ID: DRUPAL-SA-CORE-2012-002
Project: Drupal core
Version: 7.x
Date: 2012-May-2
Security risk: Critical
Exploitable from: Remote
Vulnerability: Denial of Service, Access bypass, Unvalidated form redirect

Description

Denial of Service

CVE: CVE-2012-1588

Drupal core's text filtering system provides several features including removing inappropriate HTML tags and automatically linking content that appears to be a link. A pattern in Drupal's text matching was found to be inefficient with certain specially crafted strings. This vulnerability is mitigated by the fact that users must have the ability to post content sent to the filter system such as a role with the "post comments" or "Forum topic: Create new content" permission.

Unvalidated form redirect

CVE: CVE-2012-1589

Drupal core's Form API allows users to set a destination, but failed to validate that the URL was internal to the site. This weakness could be abused to redirect the login to a remote site with a malicious script that harvests the login credentials and redirects to the live site. This vulnerability is mitigated only by the end user's ability to recognize a URL with malicious query parameters to avoid the social engineering required to exploit the problem.

Access bypass - forum listing

CVE: CVE-2012-1590

Drupal core's forum lists fail to check user access to nodes when displaying them in the forum overview page. If an unpublished node was the most recently updated in a forum then users who should not have access to unpublished forum posts were still be able to see meta-data about the forum post such as the post title.

Access bypass - private images

CVE: CVE-2012-1591

Drupal core provides the ability to have private files, including images, and Image Styles which create derivative images from an original image that may differ, for example, in size or saturation. Drupal core failed to properly terminate the page request for cached image styles allowing users to access image derivatives for images they should not be able to view. Furthermore, Drupal didn't set the right headers to prevent image styles from being cached in the browser.

Access bypass - content administration

CVE: CVE-2012-2153

Drupal core provides the ability to list nodes on a site at admin/content. Drupal core failed to confirm a user viewing that page had access to each node in the list. This vulnerability only concerns sites running a contributed node access module and is mitigated by the fact that users must have a role with the "Access the content overview page" permission. Unpublished nodes were not displayed to users who only had the "Access the content overview page" permission.

Versions affected

Drupal core 7.x versions prior to 7.13.

Solution

Install the latest version:

If you use Drupal 7.x, upgrade to Drupal core 7.13

Also see the Drupal core project page.

Reported by

The Denial of Service vulnerability was reported by Jay Wineinger and Lin Clark.
The unvalidated form redirect vulnerability was reported by Károly Négyesi of the Drupal Security Team and Katsuhiko Nakanishi.
The access bypass in forum listing vulnerability was reported by Glen W.
The access bypass for private images vulnerability was reported by frega, Andreas Gonell, Jeremy Meier and Xenza.
The access bypass for the content administration vulnerability was reported by Jennifer Hodgdon.

Fixed by

The Denial of Service was fixed by Károly Négyesi of the Drupal Security Team.
The unvalidated form redirect was fixed by Wolfgang Ziegler and Stéphane Corlosquet of the Drupal Security Team.
The access bypass in forum listing was fixed by Michael Hess of the Drupal Security Team, Ben Jeavons of the Drupal Security Team and xjm.
The Access bypass for private images was fixed by Károly Négyesi of the Drupal Security Team, Damien Tournoud of the Drupal Security Team, Greg Knaddison of the Drupal Security Team, Stéphane Corlosquet of the Drupal Security Team, Xenza and frega.
The Access bypass for content administration was fixed by Jennifer Hodgdon.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

SA-CORE-2012-001 - Drupal core multiple vulnerabilities

Drupal Security Team — Wed, 01 Feb 2012 22:06:54 +0000

Advisory ID: DRUPAL-SA-CORE-2012-001
Project: Drupal core
Version: 6.x, 7.x
Date: 2012-February-01
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities

Description

Cross Site Request Forgery vulnerability in Aggregator module

CVE: CVE-2012-0826
An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service.

This issue affects Drupal 6.x and 7.x.

OpenID not verifying signed attributes in SREG and AX

CVE: CVE-2012-0825
A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users' information.

This issue affects Drupal 6.x and 7.x.

Access bypass in File module

CVE: CVE-2012-0827
When using private files in combination with certain field access modules, the File module will allow users to download the file even if they do not have access to view the field it was attached to.

This issue affects Drupal 7.x only.

Versions affected

Drupal 6.x core prior to 6.23.
Drupal 7.x core prior to 7.11.

Solution

Install the latest version:

If you use Drupal 6.x upgrade to 6.23
If you use Drupal 7.x upgrade to 7.11

See also the Drupal core project page.

Reported by

The Aggregator module CSRF vulnerability was reported by Dylan Tack of the Drupal Security Team.
The OpenID vulnerability was reported by Rui Wang, Shuo Chen and Xiao Feng Wang.
The File module access bypass issue was reported by David Rothstein of the Drupal Security Team, and by Sascha Grossenbacher.

Fixed by

Aggregator CSRF issue fixed by Dave Reid of the Drupal Security Team
OpenID issue fixed by Vojtech Kusy and Christian Schmidt
The File module access bypass issue was fixed by David Rothstein of the Drupal Security Team, Sascha Grossenbacher, and Derek Wright of the Drupal Security Team.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

SA-CORE-2011-003 - Drupal core - Access bypass

Drupal Security Team — Wed, 27 Jul 2011 19:32:17 +0000

Advisory ID: DRUPAL-SA-CORE-2011-003
Project: Drupal core
Version: 7.x
Date: 2011-July-27
Security risk: Less critical
Exploitable from: Remote
Vulnerability: Access bypass

Description

CVE: CVE-2011-2726

Access bypass in private file fields on comments.

Drupal 7 contains two new features: the ability to attach File upload fields to any entity type in the system and the ability to point individual File upload fields to the private file directory.

If a Drupal site is using these features on comments, and the parent node is denied access (either by a node access module or by being unpublished), the file attached to the comment can still be downloaded by non-privileged users if they know or guess its direct URL.

This issue affects Drupal 7.x only.

Versions affected

Drupal 7.x before version 7.5.

Solution

Install the latest version:

If you are running Drupal 7.x then upgrade to Drupal 7.5 or ~~7.6~~ 7.7.

The Security Team has released both a pure security update without other bug fixes and a security update combined with other bug fixes and improvements. You can choose to either only include the security update for an immediate fix (which might require less quality assurance and testing) or more fixes and improvements alongside the security fixes by choosing between Drupal 7.5 and Drupal ~~7.6~~ 7.7. Read the announcement for more information.

See also the Drupal core project page.

Reported by

The File access bypass was reported by Florian Weber.

Fixed by

The File access bypass was fixed by Stéphane Corlosquet and Károly Négyesi, both members of the Drupal security team.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

SA-CORE-2011-002 - Drupal core - Access bypass

Drupal Security Team — Thu, 30 Jun 2011 00:13:40 +0000

Advisory ID: DRUPAL-SA-CORE-2011-002
Project: Drupal core
Version: 7.x
Date: 2011-JUNE-29
Security risk: Highly critical
Exploitable from: Remote
Vulnerability: Access bypass

Description

CVE: CVE-2011-2687

Access bypass in node listings

Listings showing nodes but not JOINing the node table show all nodes regardless of restrictions imposed by the node_access system. In core, this affects the taxonomy and the forum subsystem.

This issue only affects sites using a node access module such as content access or forum access. If you do not use any node access system then your site is not affected by this vulnerability. It is still considered a best practice to run the latest release and all site owners are encouraged to upgrade when they can regardless of whether or not they are affected.

Note that fixing this issue in contributed modules requires a backwards-compatible API change for modules listing nodes. See http://drupal.org/node/1204572 for more details.

This issue affects Drupal 7.x only.

Versions affected

Drupal 7.0, 7.1 and 7.2.

Solution

Install the latest version:

If you are running Drupal 7.x then upgrade to Drupal 7.3 or 7.4.

The Security Team has released both a pure security update without other bug fixes and a security update combined with other bug fixes and improvements. You can choose to either only include the security update for an immediate fix (which might require less quality assurance and testing) or more fixes and improvements alongside the security fixes by choosing between Drupal 7.3 and Drupal 7.4. Read the announcement for more information.

See also the Drupal core project page.

Reported by

The access bypass was reported independently by numerous people, including Sascha Grossenbacher, Khaled Alhourani, and Ben Ford.

Fixed by

The access bypass was fixed by Károly Négyesi, member of the Drupal security team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

SA-CORE-2011-001 - Drupal core - Multiple vulnerabilities

Drupal Security Team — Wed, 25 May 2011 18:07:48 +0000

Advisory ID: DRUPAL-SA-CORE-2011-001
Project: Drupal core
Version: 6.x, 7.x
Date: 2011-May-25
Security risk: Critical
Exploitable from: Remote
Vulnerability: Access bypass, Cross Site Scripting

Description

CVE: CVE-2011-2687

Multiple vulnerabilities and weaknesses were discovered in Drupal.

Reflected cross site scripting vulnerability in error handler

A reflected cross site scripting vulnerability was discovered in Drupal's error handler. Drupal displays PHP errors in the messages area, and a specially crafted URL can cause malicious scripts to be injected into the message. The issue can be mitigated by disabling on-screen error display at admin/settings/error-reporting. This is the recommended setting for production sites.

This issue affects Drupal 6.x only.

Cross site scripting vulnerability in Color module

When using re-colorable themes, color inputs are not sanitized. Malicious color values can be used to insert arbitrary CSS and script code. Successful exploitation requires the "Administer themes" permission.

This issue affects Drupal 6.x and 7.x.

Access bypass in File module

When using private files in combination with a node access module, the File module allows unrestricted access to private files.

This issue affects Drupal 7.x only.

Versions affected

Drupal 7.x before version 7.1.
Drupal 6.x before version 6.21.

Solution

Install the latest version:

If you are running Drupal 7.x then upgrade to Drupal 7.1 or 7.2.
If you are running Drupal 6.x then upgrade to Drupal 6.21 or 6.22.

See the release announcement for more information.

See also the Drupal core project page.

Reported by

The reflected cross site scripting vulnerability was reported by Heine Deelstra (*).
The Color module cross site scripting vulnerability was reported by Kasper Lindgaard, Secunia Research.
The File access bypass was reported by Hubert Lecorche, and Peter Bex.

Fixed by

The reflected cross site scripting vulnerability was fixed by Alan Smithee.
The Color module cross site scripting vulnerability was fixed by Stéphane Corlosquet (*), Heine Deelstra (*), and Peter Wolanin (*).
The File access bypass was fixed by Heine Deelstra (*).

(*) Member of the Drupal security team.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

SA-CORE-2010-002 - Drupal core - Multiple vulnerabilities

Drupal Security Team — Wed, 11 Aug 2010 19:53:18 +0000

Advisory ID: DRUPAL-SA-CORE-2010-002
Project: Drupal core
Version: 5.x, 6.x
Date: 2010-August-11
Security risk: Critical
Exploitable from: Remote
Vulnerability: Multiple vulnerabilities

Description

Multiple vulnerabilities and weaknesses were discovered in Drupal.

OpenID authentication bypass

The OpenID module provides users the ability to login to sites using an OpenID account.

The OpenID module doesn't implement all the required verifications from the OpenID 2.0 protocol and is vulnerable to a number of attacks.

Specifically:
- OpenID should verify that a "openid.response_nonce" has not already been used for an assertion by the OpenID provider
- OpenID should verify the value of openid.return_to as obtained from the OpenID provider
- OpenID must verify that all fields that are required to be signed are signed

These specification violations allow malicious sites to harvest positive assertions from OpenID providers and use them on sites using the OpenID module to obtain access to preexisting accounts bound to the harvested OpenIDs. Intercepted assertions from OpenID providers can also be replayed and used to obtain access to user accounts bound to the intercepted OpenIDs.

This issue affects Drupal 6.x only. A separate security announcement and release is published for the contributed OpenID module for Drupal 5.x.

File download access bypass

The upload module allows users to upload files and provides access checking for file downloads.

The module looks up files for download in the database and serves them for download after access checking. However, it does not account for the fact that certain database configurations will not consider case differences in file names. If a malicious user uploads a file which only differs in letter case, access will be granted for the earlier upload regardless of actual file access to that.

This issue affects Drupal 5.x and 6.x.

Comment unpublishing bypass

The comment module allows users to leave comments on content on the site.

The module supports unpublishing comments by privileged users. Users with the "post comments without approval" permission however could craft a URL which allows them to republish previously unpublished comments.

This issue affects Drupal 5.x and 6.x.

Actions cross site scripting

The actions feature combined with Drupal's trigger module allows users to configure certain actions to happen when users register, content is submitted, and so on; through a web based interface.

Users with "administer actions permission" can enter action descriptions and messages which are not properly filtered on output. Users with content and taxonomy tag submission permissions can create nodes and taxonomy terms which are not properly sanitized for inclusion in action messages and inject arbitrary HTML and script code into Drupal pages. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting (XSS).

This issue affects Drupal 6.x only.

Versions affected

Drupal 6.x before version 6.18 or 6.19.
Drupal 5.x before version 5.23.

Solution

Install the latest version:

If you are running Drupal 6.x then upgrade to Drupal 6.18 or Drupal 6.19.
If you are running Drupal 5.x then upgrade to Drupal 5.23.

Drupal 5 will no longer be maintained when Drupal 7 is released. Upgrading to Drupal 6 is recommended.

The security team starts a new practice of releasing both a pure security update without other bugfixes and a security update combined with other bug fixes and improvements. You can choose to either only include the security update for an immediate fix (which might require less quality assurance and testing) or more fixes and improvements alongside the security fixes by choosing between Drupal 6.18 and Drupal 6.19. Read the announcement for more information.

Reported by

The OpenID authentication bypass issues were reported by Johnny Bufu, Christian Schmidt and Heine Deelstra (*).
The file download access bypass was reported by Wolfgang Ziegler.
The comment unpublish bypass issue was reported by Heine Deelstra (*).
The actions module cross site scripting was reported by Justin Klein Keane and Heine Deelstra (*).

(*) Member of the Drupal security team.

Fixed by

The OpenID authentication issues were fixed by Christian Schmidt, Heine Deelstra (*) and Damien Tournoud (*).
The file download access bypass was fixed by Dave Reid (*) and Neil Drumm (*).
The comment unpublish bypass issue was fixed by Heine Deelstra (*).
The actions module cross site scripting was fixed by Justin Klein Keane and Heine Deelstra (*).

(*) Member of the Drupal security team.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.