DRUPAL-SA-2005-004.txt

DRUPAL-SA-2005-004.txt: Posted Aug 17, 2005; Authored by Uwe Hermann | Site drupal.org; Stefan Esser of the Hardened-PHP Project reported a serious vulnerability in the third-party XML-RPC library included with some Drupal versions. An attacker could execute arbitrary PHP code on a target site.; tags | advisory, arbitrary, php; SHA-256 | f1693245942b10512ab9dd01ee950c7b7ead43979f7b2d80448b9875aa3599a3; Download | Favorite | View

DRUPAL-SA-2005-004.txt

----------------------------------------------------------------------------
Drupal security advisory                                  DRUPAL-SA-2005-004
----------------------------------------------------------------------------
Advisory ID:    DRUPAL-SA-2005-004
Date:           2005-aug-15
CVE ID:         CAN-2005-2498
Security risk:  highly critical
Impact:         system access
Where:          from remote
Vulnerability:  arbitrary PHP code execution
----------------------------------------------------------------------------

Description
-----------
Stefan Esser of the Hardened-PHP Project reported a serious vulnerablility
in the third-party XML-RPC library included with some Drupal versions. An 
attacker could execute arbitrary PHP code on a target site.

Versions affected
-----------------
Drupal 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4
Drupal 4.6.0, 4.6.1, 4.6.2
Drupal HEAD is not affected, as the XML-RPC library has been replaced by a 
different one.

Solution
--------
- If you cannot upgrade immediately, you can secure your site by removing
  the XML-RPC server: simply remove the file 'xmlrpc.php' in the root of
  your Drupal directory.
- If you are running Drupal 4.5.x, then upgrade to Drupal 4.5.5.
- If you are running Drupal 4.6.x, then upgrade to Drupal 4.6.3.

Timeline
--------
- Fri, 12 Aug 2005 21:15: Stefan Esser reports the vulnerability to Drupal and
                          other PHP projects using the XML-RPC library.
                          He plans a coordinated release of all affected
                          projects for next week.
- Sun, 14 Aug 2005 22:40: Stefan Esser reports that the coordinated release
                          is spoiled because information about the security
                          issue was leaked to the public.
- Sun, 14 Aug 2005 23:38: The Drupal Security Team starts coordinated work on
                          a new release via the security mailing list and IRC.
- Mon, 15 Aug 2005 03:45: Updated Drupal 4.6.3 and Drupal 4.5.5 are released.

Contact
-------
The security contact for Drupal can be reached at security@drupal.org 
or using the form at http://drupal.org/contact.


// Uwe Hermann, on behalf of the Drupal Security Team.
-- 
Uwe Hermann <uwe@hermann-uwe.de>
http://www.hermann-uwe.de                 | http://www.crazy-hacks.org
http://www.it-services-uh.de              | http://www.phpmeat.org
http://www.unmaintained-free-software.org | http://www.holsham-traders.de

Top Authors In Last 30 Days

Red Hat 219 files
indoushka 83 files
Ubuntu 79 files
Gentoo 36 files
Jasper Nota 25 files
Willem Westerhof 19 files
Debian 18 files
Jim Blankendaal 11 files
Martijn Baalman 9 files
Apple 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,096)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,707)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,485)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,737)
UNIX (9,435)
UnixWare (187)
Windows (6,672)
Other

DRUPAL-SA-2005-004.txt

DRUPAL-SA-2005-004.txt

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

DRUPAL-SA-2005-004.txt

Share This

DRUPAL-SA-2005-004.txt

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems