Drupal developers warn of critical flaws
The developers of the open source content management system Drupal have reported two vulnerabilities in its project issue tracking module which can be exploited to attack users and servers. The developers class the problem as critical.
According to an advisory issued by the development team, files can be uploaded when a new issue is created, but the module fails to verify that the uploaded file is a permitted file type, allowing JavaScript to be injected and executed on a user's browser. It is also possible to load external PHP scripts and thereby compromise the server.
The core Upload module must be activated for an attack to succeed, but it is activated by default in versions 5.x-2.x. In addition, there is a cross-site scripting vulnerability in the presentation of issue states. However, the advisory states that exploitation requires specific editor privileges, details of which are withheld.
The bugs are present in versions 5.x-2.x-dev prior to 30.1.2008, 5.x-1.2, 4.7.x-2.6, 4.7.x-1.6 and previous versions. The Drupal development team recommend updating to version 5.x-2.0, 5.x-1.3, 4.7.x-2.7 or 4.7.x-1.7. The update requires configuration changes. A precise description is given in the original advisories.
- Project issue tracking - Arbitrary file upload, security advisory on Drupal.org
- Project issue tracking - XSS vulnerability in comment summary, security advisory on Drupal.org
(mba)