Edit: read his comment at the end of the thread. Only change from 4.6.2 to 4.6.3 relates to XML-RPC. Thread closed. Next time, PLEASE mail security@drupal.org instead of a public post if you have security problems. chx.
This morning I noticed the following error in watchdog:
Type php
Datum Woensdag, 16 november, 2005 - 23:26
Gebruiker Gast
Locatie /comment/reply/1/29
Bericht system() has been disabled for security reasons in /home/a716/public_html/pctips/includes/common.inc(1847) : eval()'d code op lijn 1.
strengheid fout
Hostnaam 82.57.25.109
This was on pctips.ustilago.org running drupal 4.6.2 without XML-RPC where only site admins have the php inputfilter enabled. The error message seems to be from php-safe mode.
From the same ip I had an error in watchdog on another site (ustilago.org) running 4.5.4 without
XML-RPC
Type error
Date Thursday, November 17, 2005 - 02:02
User Guest
Location /comment/reply/1
Message Comment: unauthorized comment submitted or comment submitted to a closed node test.
Hostname 82.57.25.109
The preceding actions (top = last) from 82.57.24.109:
Nov 17 2005 - 02:02 Post comment Guest 82.57.25.109
Nov 17 2005 - 02:01 Preview comment Guest 82.57.25.109
Nov 17 2005 - 02:01 Add new comment Guest 82.57.25.109
First I was afraid the upgrade to 4.6.2 didn't work but the id line from comment.module clearly shows it's 4.6.2. I've searched and looked everywhere on drupal.org but can't find any mention that 4.6.2 has a code execution vulnerability other than the xml-rpc library. Am I mistaken?
Heine
PS My (very good) webhost Lientje.com is looking for 'old' Apache logs; I hope to find some more details there.
Comments
See drupal.org home page
There is a 4.6.3 release that fixes another bug found in the xml-rpc library. There is a note about it on the home page for drupal.org
Not XML-RPC
I don't see how this can be XML-RPC related; xmlrpc.php was removed. This was a comment injection / attempt.
--
Tips for posting to the forums
ok your site isn't secure
Hi,
I made a little examination of your site and I discovered that this isn't secure.
I advice you to upgrade this site to 4.6.3 version.
This is not related with XML-RPC file. :/
Could you please
Could you please elaborate?
--
Tips for posting to the forums
Drupal has released 4.6.3
Drupal has released 4.6.3 version due to 2 (or more bugs) one was related with XML-RPC, others not. I don't want to show people how to get admin privileges.
Can we meet on IRC ?
Yes
Sure,
I'm already there on #drupal-support
--
Tips for posting to the forums
What??
Let's examine comment 4.6!
The only problem in comment.module which is fixed on 4.6.3 is that we used 'administer nodes' instead of 'administer comments'.
I also checked filter.module that has not even changed between 4.6.2 and 4.6.3.
I can say that you are not right. The last known core filter bug was fixed in 4.6.2.
--
Read my developer blog on Drupal4hu.
--
Drupal development: making the world better, one patch at a time. | A bedroom without a teddy is like a face without a smile.
You are right.
You are right,
According to changelog.txt I had 4.6.2. I've compared all modules & includes and they are all 4.6.1.
I traced it to a bug in my ftp client, where Overwrite if newer (all), didn't work properly for subdirectories.
My apologies for the trouble.
Heine