In association with heise online

31 January 2008, 17:46

Drupal developers warn of critical flaws

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The developers of the open source content management system Drupal have reported two vulnerabilities in its project issue tracking module which can be exploited to attack users and servers. The developers class the problem as critical.

According to an advisory issued by the development team, files can be uploaded when a new issue is created, but the module fails to verify that the uploaded file is a permitted file type, allowing JavaScript to be injected and executed on a user's browser. It is also possible to load external PHP scripts and thereby compromise the server.

The core Upload module must be activated for an attack to succeed, but it is activated by default in versions 5.x-2.x. In addition, there is a cross-site scripting vulnerability in the presentation of issue states. However, the advisory states that exploitation requires specific editor privileges, details of which are withheld.

The bugs are present in versions 5.x-2.x-dev prior to 30.1.2008, 5.x-1.2, 4.7.x-2.6, 4.7.x-1.6 and previous versions. The Drupal development team recommend updating to version 5.x-2.0, 5.x-1.3, 4.7.x-2.7 or 4.7.x-1.7. The update requires configuration changes. A precise description is given in the original advisories.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit