----------------------------------------------------------------------

Want a new job?

http://secunia.com/secunia_security_specialist/
http://secunia.com/hardcore_disassembler_and_reverse_engineer/

International Partner Manager - Project Sales in the IT-Security
Industry:
http://corporate.secunia.com/about_secunia/64/

----------------------------------------------------------------------

TITLE:
Drupal Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA31028

VERIFY ADVISORY:
http://secunia.com/advisories/31028/

CRITICAL:
Moderately critical

IMPACT:
Hijacking, Cross Site Scripting, Manipulation of data

WHERE:
>From remote

SOFTWARE:
Drupal 5.x
http://secunia.com/product/13378/
Drupal 6.x
http://secunia.com/product/17839/

DESCRIPTION:
Some vulnerabilities have been reported in Drupal, which can be
exploited by malicious people to conduct cross-site scripting,
cross-site request forgery, session fixation, SQL injection, and
script insertion attacks.

1) Certain input passed via taxonomy terms is not properly sanitised
before being used. This can be exploited to insert arbitrary HTML and
script code, which will be executed in a user's browser session in
context of an affected site when a user selects a term and previews
the node.

2) Certain input passed from OpenID providers is not properly
sanitised before being returned to a user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
context of an affected site.

These vulnerabilities reportedly affected version 6.x only.

3) The application allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the
request. This can be exploited to e.g. delete OpenID identities or
translation strings by enticing a logged-in user to visit a malicious
site.

4) An error in the handling of certain sessions can be exploited to
hijack another user's session by tricking the user into logging in
after following a specially crafted link.

5) Certain input passed to numeric fields in the Schema API is not
properly sanitised before being used in an SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerabilities are reported in version 5.x and 6.x.

SOLUTION:
Update to the latest versions or apply patch for version 5.7 or 6.2.

Drupal 5.x:
Update to version 5.8.
http://ftp.drupal.org/files/projects/drupal-5.8.tar.gz

Drupal 6.x
Update to version 6.3.
http://ftp.drupal.org/files/projects/drupal-6.3.tar.gz

Drupal 5.7:
Apply patch.
http://drupal.org/files/sa-2008-044/SA-2008-044-5.7.patch

Drupal 6.2:
Apply patch.
http://drupal.org/files/sa-2008-044/SA-2008-044-6.2.patch

PROVIDED AND/OR DISCOVERED BY:
The vendor credits Erich C. Beyrent, John Morahan, Peter Wolanin
(Drupal security team), Neil Drumm (Drupal security team), and Heine
Deelstra (Drupal security team).

ORIGINAL ADVISORY:
http://drupal.org/node/280571

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------