----------------------------------------------------------------------------
Drupal security advisory                                  DRUPAL-SA-2005-004
----------------------------------------------------------------------------
Advisory ID:    DRUPAL-SA-2005-004
Date:           2005-aug-15
CVE ID:         CAN-2005-2498
Security risk:  highly critical
Impact:         system access
Where:          from remote
Vulnerability:  arbitrary PHP code execution
----------------------------------------------------------------------------

Description
-----------
Stefan Esser of the Hardened-PHP Project reported a serious vulnerablility
in the third-party XML-RPC library included with some Drupal versions. An 
attacker could execute arbitrary PHP code on a target site.

Versions affected
-----------------
Drupal 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4
Drupal 4.6.0, 4.6.1, 4.6.2
Drupal HEAD is not affected, as the XML-RPC library has been replaced by a 
different one.

Solution
--------
- If you cannot upgrade immediately, you can secure your site by removing
  the XML-RPC server: simply remove the file 'xmlrpc.php' in the root of
  your Drupal directory.
- If you are running Drupal 4.5.x, then upgrade to Drupal 4.5.5.
- If you are running Drupal 4.6.x, then upgrade to Drupal 4.6.3.

Timeline
--------
- Fri, 12 Aug 2005 21:15: Stefan Esser reports the vulnerability to Drupal and
                          other PHP projects using the XML-RPC library.
                          He plans a coordinated release of all affected
                          projects for next week.
- Sun, 14 Aug 2005 22:40: Stefan Esser reports that the coordinated release
                          is spoiled because information about the security
                          issue was leaked to the public.
- Sun, 14 Aug 2005 23:38: The Drupal Security Team starts coordinated work on
                          a new release via the security mailing list and IRC.
- Mon, 15 Aug 2005 03:45: Updated Drupal 4.6.3 and Drupal 4.5.5 are released.

Contact
-------
The security contact for Drupal can be reached at security@drupal.org 
or using the form at http://drupal.org/contact.


// Uwe Hermann, on behalf of the Drupal Security Team.
-- 
Uwe Hermann <uwe@hermann-uwe.de>
http://www.hermann-uwe.de                 | http://www.crazy-hacks.org
http://www.it-services-uh.de              | http://www.phpmeat.org
http://www.unmaintained-free-software.org | http://www.holsham-traders.de