---------------------------------------------------------------------------- Drupal security advisory DRUPAL-SA-2005-002 ---------------------------------------------------------------------------- Advisory ID: DRUPAL-SA-2005-002 Date: 2005-jun-29 Security risk: highly critical Impact: system access Where: from remote Vulnerability: arbitrary PHP code execution ---------------------------------------------------------------------------- Description ----------- Kuba Zygmunt discovered a flaw in the input validation routines of Drupal's filter mechanism. An attacker could execute arbitrary PHP code on a target site when public comments or postings are allowed. Versions affected ----------------- Drupal 4.5.0, 4.5.1, 4.5.2, 4.5.3 Drupal 4.6.0, 4.6.1 Solution -------- Either disable public comments and postings, or upgrade to the latest Drupal version: - If you cannot upgrade immediately, you can secure your site by disabling public postings and comments. Log in as an administrator, go to "administer >> access control" and make sure that untrusted roles don't have the permissions to submit or edit content. - If you are running Drupal 4.5.x, then upgrade to Drupal 4.5.4. - If you are running Drupal 4.6.x, then upgrade to Drupal 4.6.2. Contact ------- The security contact for Drupal can be reached at security@drupal.org or using the form at http://drupal.org/contact.