Drupal CMS closes security holes
Updated versions of the Drupal open-source content management system patch cross-site scripting holes (XSS) that allowed attackers to inject and execute external script code remotely within the security context of the Drupal-driven site in the user's browser. Furthermore, a vulnerability in the Metatags add-on module allowed external code to be executed on the server. The developers have now remedied the situation with an update.
According to a security advisory published by the developers, one of the XSS vulnerabilities was the result of flawed handling by Internet Explorer 6 of characters in UTF8 encoding which do not comply with the specifications. Attackers were able to inject characters into the browser that Drupal would have filtered out if they complied with the UTF8 specification. A simple http-get request removes subscribed RSS feeds in the aggregator module. If users with privileges to remove RSS feeds then follow a manipulated link, they may unintentionally delete subscribed feeds, for instance by means of a specially crafted <IMG> tag within a website.
Theme files (.tpl.php) accessible on the web represent yet another vulnerability if the PHP option register_globals is active. While the .htaccess files that Drupal supplies attempt to disable this option, in some configurations it fails. The developers have therefore added warnings on the administrator page for the CMS; version 5.6 even refuses to be installed.
In versions 4.7.11 and 5.6, the developers have remedied the flaws. These versions can be downloaded as complete packages. Alternatively, administrators can download individual patches, for which links have been provided in the security advisories, and apply them to current installations. The developers recommend that the updates be installed as soon as possible.
Updated packages are also available as downloads for the Drupal-based vbDrupal Project, which combines Drupal with the popular vBulletin board. Finally, a vulnerability in the nodewords 1.6 add-on module for Drupal 5.x, that allows attackers to inject and execute code on the server, has been fixed in Version 5.x-1.7 of the module, also known as Metatags. Users of this add-on are advised to install the updated version immediately.
- Drupal core - Cross site request forgery, security advisories by the developers of Drupal
- Drupal core - Cross site scripting (UTF8), security advisory by the developers of Drupal
- Drupal core - Cross site scripting (register_globals), security advisory by the developers of Drupal
- Meta tags - Arbitrary code execution, security advisory by the developers of Drupal
- Download Drupal 5.6
- Download Drupal 4.7.11
- Download nodewords 5.x-1.7
(mba)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
