Security updates for Drupal CMS
In a security advisory, the developers of the Drupal content management system have warned of several security problems in versions 5.x and 6.x, assessing the vulnerabilities as generally "highly critical".
Besides a cross-site scripting problem (XSS), the advisory lists two possibilities of cross-site request forgery (CSRF). Among other things, new access rules could be set for users logged into the Drupal system, without their noticing, if they access a page or site created by a malicious person. Users with the right to administer the blog could also slip files into the system. Finally, the upload module contains errors allowing users with the right to upload files to enhance their privileges.
The developers are providing the corrected versions 5.10 and 6.4 for download, as well as patches for the previous versions.
- SA-2008-047 - Drupal core - Multiple vulnerabilities, security advisory by the developers