Drupal developers warn of critical flaws
The developers of the open source content management system Drupal have reported two vulnerabilities in its project issue tracking module which can be exploited to attack users and servers. The developers class the problem as critical.
The core Upload module must be activated for an attack to succeed, but it is activated by default in versions 5.x-2.x. In addition, there is a cross-site scripting vulnerability in the presentation of issue states. However, the advisory states that exploitation requires specific editor privileges, details of which are withheld.
The bugs are present in versions 5.x-2.x-dev prior to 30.1.2008, 5.x-1.2, 4.7.x-2.6, 4.7.x-1.6 and previous versions. The Drupal development team recommend updating to version 5.x-2.0, 5.x-1.3, 4.7.x-2.7 or 4.7.x-1.7. The update requires configuration changes. A precise description is given in the original advisories.
- Project issue tracking - Arbitrary file upload, security advisory on Drupal.org
- Project issue tracking - XSS vulnerability in comment summary, security advisory on Drupal.org