DRUPAL-SA-2005-004.txt

DRUPAL-SA-2005-004.txt: Posted Aug 17, 2005; Authored by Uwe Hermann | Site drupal.org; Stefan Esser of the Hardened-PHP Project reported a serious vulnerability in the third-party XML-RPC library included with some Drupal versions. An attacker could execute arbitrary PHP code on a target site.; tags | advisory, arbitrary, php; SHA-256 | f1693245942b10512ab9dd01ee950c7b7ead43979f7b2d80448b9875aa3599a3; Download | Favorite | View

DRUPAL-SA-2005-004.txt

----------------------------------------------------------------------------
Drupal security advisory                                  DRUPAL-SA-2005-004
----------------------------------------------------------------------------
Advisory ID:    DRUPAL-SA-2005-004
Date:           2005-aug-15
CVE ID:         CAN-2005-2498
Security risk:  highly critical
Impact:         system access
Where:          from remote
Vulnerability:  arbitrary PHP code execution
----------------------------------------------------------------------------

Description
-----------
Stefan Esser of the Hardened-PHP Project reported a serious vulnerablility
in the third-party XML-RPC library included with some Drupal versions. An 
attacker could execute arbitrary PHP code on a target site.

Versions affected
-----------------
Drupal 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4
Drupal 4.6.0, 4.6.1, 4.6.2
Drupal HEAD is not affected, as the XML-RPC library has been replaced by a 
different one.

Solution
--------
- If you cannot upgrade immediately, you can secure your site by removing
  the XML-RPC server: simply remove the file 'xmlrpc.php' in the root of
  your Drupal directory.
- If you are running Drupal 4.5.x, then upgrade to Drupal 4.5.5.
- If you are running Drupal 4.6.x, then upgrade to Drupal 4.6.3.

Timeline
--------
- Fri, 12 Aug 2005 21:15: Stefan Esser reports the vulnerability to Drupal and
                          other PHP projects using the XML-RPC library.
                          He plans a coordinated release of all affected
                          projects for next week.
- Sun, 14 Aug 2005 22:40: Stefan Esser reports that the coordinated release
                          is spoiled because information about the security
                          issue was leaked to the public.
- Sun, 14 Aug 2005 23:38: The Drupal Security Team starts coordinated work on
                          a new release via the security mailing list and IRC.
- Mon, 15 Aug 2005 03:45: Updated Drupal 4.6.3 and Drupal 4.5.5 are released.

Contact
-------
The security contact for Drupal can be reached at security@drupal.org 
or using the form at http://drupal.org/contact.


// Uwe Hermann, on behalf of the Drupal Security Team.
-- 
Uwe Hermann <uwe@hermann-uwe.de>
http://www.hermann-uwe.de                 | http://www.crazy-hacks.org
http://www.it-services-uh.de              | http://www.phpmeat.org
http://www.unmaintained-free-software.org | http://www.holsham-traders.de

Top Authors In Last 30 Days

Red Hat 275 files
indoushka 177 files
Jay Turla 150 files
Ubuntu 77 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Gentoo 25 files
Karn Ganeshen 23 files

File Archives

Systems

AIX (430)
Apple (2,115)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,125)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,592)
HPUX (881)
iOS (390)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,327)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,893)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,867)
UNIX (9,458)
UnixWare (188)
Windows (6,772)
Other

DRUPAL-SA-2005-004.txt

DRUPAL-SA-2005-004.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

DRUPAL-SA-2005-004.txt

Share This

DRUPAL-SA-2005-004.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems