[Security announcements] SA-2008-073 - Drupal core - Multiple vulnerabilities

------------SA-2008-073 - DRUPAL CORE - MULTIPLE VULNERABILITIES------------

* Advisory ID: DRUPAL-SA-2008-073

* Project: Drupal core

* Versions: 5.x and 6.x

* Date: 2008-December-10

* Security risk: Moderately Critical

* Exploitable from: Remote

* Vulnerability: Multiple vulnerabilities


Multiple vulnerabilities and weaknesses were discovered in Drupal.


The update system is vulnerable to Cross site request forgeries [
http://en.wikipedia.org/wiki/Csrf ]. Malicious users may cause the superuser
(user 1) to execute old updates that may damage the database.


When an input format is deleted, not all existing content on a site is updated
to reflect this deletion. Such content is then displayed unfiltered. This may
lead to cross site scripting [ http://en.wikipedia.org/wiki/Cross-site_scripting
] attacks when harmful tags are no longer stripped from 'malicious' content that
was posted earlier.

------------VERSIONS AFFECTED------------

* Drupal 5.x before version 5.13

* Drupal 6.x before version 6.7


Install the latest version:

* If you are running Drupal 5.x then upgrade to Drupal 5.13 [
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz ].

* If you are running Drupal 6.x then upgrade to Drupal 6.7 [
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz ].

Note: the robots.txt and .htaccess files have changed and need to be replaced.
The settings.php file has not been changed and can be left as it was if
upgrading from the current version of Drupal.

If you are unable to upgrade immediately, you can apply a patch to secure your
installation until you are able to do a proper upgrade. The patches fix security
vulnerabilities, but do not contain other fixes which were released in these

* To patch Drupal 5.12 use SA-2008-073-5.12.patch [
http://drupal.org/files/sa-2008-073/SA-2008-073-5.12.patch ].

* To patch Drupal 6.6 use SA-2008-073-6.6.patch [
http://drupal.org/files/sa-2008-073/SA-2008-073-6.6.patch ].

------------REPORTED BY------------

Both issues were reported by David Rothstein (David_Rothstein [
http://drupal.org/user/124982 ]).


The security team for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].

Unsubscribe from this newsletter: http://drupal.org/newsletter/confirm/remove/73ff60b93f11343t44