This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigB0649BAF3B6EBFC2C5CA0525 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable -------------------------------------------------------------------------= --- Drupal security advisory DRUPAL-SA-2007-= 018 -------------------------------------------------------------------------= --- Project: Drupal core Version: 4.7.x, 5.x Date: 2007-July-26 Security risk: Moderately critical Exploitable from: Remote Vulnerability: Multiple cross site scripting vulnerabilities -------------------------------------------------------------------------= --- Description ----------- Some server variables are not escaped consistently. When a malicious user= is able to entice a victim to visit a specially crafted link or webpage, arb= itrary HTML and script code can be injected and executed in the context of the victim's session on the targeted website. Custom content type names are not escaped consistently. A malicious user = with the 'administer content types' permission would be able to inject and exe= cute arbitrary HTML and script code on the website. Revoking the 'administer content types' permission provides an immediate workaround. Both vulnerabilities are know as cross site scripting. Versions affected ----------------- - Drupal 4.7.x versions before Drupal 4.7.7 - Drupal 5.x versions before Drupal 5.2 Solution -------- - If you are running Drupal 4.7.x then upgrade to Drupal 4.7.7. http://ftp.drupal.org/pub/drupal/files/projects/drupal-4.7.7.tar.gz - If you are running Drupal 5.x then upgrade to Drupal 5.2. http://ftp.drupal.org/pub/drupal/files/projects/drupal-5.2.tar.gz If you are unable to upgrade immediately, you can apply a patch to secure= your installation until you are able to do a proper upgrade. - To patch Drupal 4.7.6 use http://drupal.org/files/sa-2007-018/SA-2007-018-4.7.6.patch. - To patch Drupal 5.1 use http://drupal.org/files/sa-2007-018/SA-2007-018-5.1.patch. Please note that the patches only contain changes related to this advisor= y, and do not fix bugs that were solved in 4.7.7 or 5.2. Important note -------------- The configuration file settings.php is one of the files containing vulner= able code. It is therefore critical to replace all of your sites' settings.php= files in subdirectories of sites with the new one from the archive. After you = have replaced the files, make sure to edit the value of the $db_url variable = to be identical to the value in your old settings.php. This is the information= that determines how Drupal connects to a database. Reported by ----------- - The server variables issue was reported by David Caylor. - Content type naming issues were reported by Karthik. Thanks ------ The security team whishes to thank Dave, Morten Wulff, Brenda Wallace, Fernando Silva, Gerhard Killesreiter, Brandon Bergren, Bart Janssen and Neil Drumm for technical assistance. Contact ------- The security contact for Drupal can be reached at security at drupal.org = or using the form at http://drupal.org/contact. --------------enigB0649BAF3B6EBFC2C5CA0525 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFGrQt/bKWM8aH9+sIRCKy3AJ4ocEKRz0ud+brgOfm6YZvA1uV1KACgtNpC tlRP6El5c+RuN43GtnVs6is= =cKgv -----END PGP SIGNATURE----- --------------enigB0649BAF3B6EBFC2C5CA0525--