Drupal security announcement

Syndicate content
Updated: 3 min 2 sec ago

SA-CORE-2014-005 - Drupal core - SQL injection

Wed, 2014-10-15 12:02
Description

Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.

A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.

This vulnerability can be exploited by anonymous users.

CVE identifier(s) issued

  • CVE-2014-3704
Versions affected
  • Drupal core 7.x versions prior to 7.32.
Solution

Install the latest version:

If you are unable to update to Drupal 7.32 you can apply this patch to Drupal's database.inc file to fix the vulnerability until such time as you are able to completely upgrade to Drupal 7.32.

Also see the Drupal core project page.

Reported by
  • Stefan Horst
Fixed by Coordinated by Contact and More Information

We've prepared a FAQ on this release. Read more at https://www.drupal.org/node/2357241.

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 7.x
Categories: Security Watch

SA-CORE-2014-004 - Drupal core - Denial of service

Wed, 2014-08-06 13:41
Description

Drupal 6 and Drupal 7 include an XML-RPC endpoint which is publicly available (xmlrpc.php). The PHP XML parser used by this XML-RPC endpoint is vulnerable to an XML entity expansion attack and other related XML payload attacks which can cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections. Any of these may lead to the site becoming unavailable or unresponsive (denial of service).

All Drupal sites are vulnerable to this attack whether XML-RPC is used or not.

In addition, a similar vulnerability exists in the core OpenID module (for sites that have this module enabled).

This is a joint release as the XML-RPC vulnerability also affects WordPress (see the announcement).

CVE identifier(s) issued
  • CVE-2014-5265 has been issued for the code changes in xmlrpc.inc which prevent entity declarations and therefore address the "vulnerable to an XML entity expansion attack ... can cause CPU and memory exhaustion" concern.
  • CVE-2014-5266 has been issued for the "Skip parsing if there is an unreasonably large number of tags" in both xmlrpc.inc and xrds.inc.
  • CVE-2014-5267 has been issued for the code change to reject any XRDS document with a /<!DOCTYPE/i match.
Versions affected
  • Drupal core 7.x versions prior to 7.31.
  • Drupal core 6.x versions prior to 6.33.
Solution

Install the latest version:

If you are unable to install the latest version of Drupal immediately, you can alternatively remove the xmlrpc.php file from the root of Drupal core (or add a rule to .htaccess to prevent access to xmlrpc.php) and disable the OpenID module. These steps are sufficient to mitigate the vulnerability in Drupal core if your site does not require the use of XML-RPC or OpenID functionality. However, this mitigation will not be effective if you are using a contributed module that exposes Drupal's XML-RPC API at a different URL (for example, the Services module); updating Drupal core is therefore strongly recommended.

Also see the Drupal core project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security Watch

SA-CORE-2014-003 - Drupal core - Multiple vulnerabilities

Wed, 2014-07-16 10:48
  • Advisory ID: DRUPAL-SA-CORE-2014-003
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2014-July-16
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

Denial of service with malicious HTTP Host header (Base system - Drupal 6 and 7 - Critical)

Drupal core's multisite feature dynamically determines which configuration file to use based on the HTTP Host header.

The HTTP Host header validation does not sufficiently check maliciously-crafted header values, thereby exposing a denial of service vulnerability. This vulnerability also affects sites that don't actually use the multisite feature.

Access bypass (File module - Drupal 7 - Critical)

The File module included in Drupal 7 core allows attaching files to pieces of content. The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files.

This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field.

Note: The Drupal 6 FileField module is affected by a similar issue (see SA-CONTRIB-2014-071 - FileField - Access bypass) and requires an update to the current security release of Drupal 6 core in order for the fix released there to work correctly. However, Drupal 6 core itself is not directly affected.

Cross-site scripting (Form API option groups - Drupal 6 and 7 - Moderately critical)

A cross-site scripting vulnerability was found due to Drupal's form API failing to sanitize option group labels in select elements. This vulnerability affects Drupal 6 core directly, and likely affects Drupal 7 forms provided by contributed or custom modules.

This vulnerability is mitigated by the fact that it requires the "administer taxonomy" permission to exploit in Drupal 6 core, and there is no known exploit within Drupal 7 core itself.

Cross-site scripting (Ajax system - Drupal 7 - Moderately critical)

A reflected cross-site scripting vulnerability was found in certain forms containing a combination of an Ajax-enabled textfield (for example, an autocomplete field) and a file field.

This vulnerability is mitigated by the fact that an attacker can only trigger the attack in a limited set of circumstances, usually requiring custom or contributed modules.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Drupal core 6.x versions prior to 6.32.
  • Drupal core 7.x versions prior to 7.29.
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by
  • The denial of service vulnerability using malicious HTTP Host headers was reported by Régis Leroy.
  • The access bypass vulnerability in the File module was reported by Ivan Ch.
  • The cross-site scripting vulnerability with Form API option groups was reported by Károly Négyesi.
  • The cross-site scripting vulnerability in the Ajax system was reported by mani22test.
Fixed by
  • The denial of service vulnerability using malicious HTTP Host headers was fixed by Régis Leroy, and by Klaus Purer of the Drupal Security Team.
  • The access bypass vulnerability in the File module was fixed by Nate Haug and Ivan Ch, and by Drupal Security Team members David Rothstein, Heine Deelstra and David Snopek.
  • The cross-site scripting vulnerability with Form API option groups was fixed by Greg Knaddison of the Drupal Security Team.
  • The cross-site scripting vulnerability in the Ajax system was fixed by Neil Drumm of the Drupal Security Team.
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security Watch