Security updates for Drupal
The developers of the open source Drupal content management system have released versions 5.20 and 6.14 to fix four vulnerabilities. The holes include a cross-site request forgery vulnerability that allows attackers to add their own OpenID to an existing Drupal account and subsequently access the account. For the attack to be successful, however, the victim must be logged into Drupal and access a malicious web page. Another flaw in the OpenID implementation allows a user to access another user's account if both are connected to the same OpenID-2.0 provider.
A further flaw in Apache's file API allows executable files to be uploaded to a server. However, this is reportedly only possible if the server is configured to ignore the settings in the .htaccess file in the upload directory. The advisory doesn't indicate when this could potentially be the case. The update for version 5.x also closes a session fixation hole that allows attackers to take over a user's session.
The developers rate the holes as critical and recommend that users update as soon as possible. Those who plan to update are advised to read the update notes before going ahead as there are a number of database changes associated with the update. Appropriate patches have also been released.
- SA-CORE-2009-008 - Drupal core - Multiple vulnerabilities, Drupal developers' advisory