SA-CORE-2010-001 – Drupal core – Multiple vulnerabilities

• Advisory ID: DRUPAL-SA-2010-001-CORE
• Project: Drupal core
• Version: 5.x, 6.x
• Date: 2010-March-2003
• Security risk: Critical
• Exploitable from: Remote
• Vulnerability: Multiple vulnerabilities

Description

Multiple vulnerabilities and weaknesses Were discovered in Drupal.

Installation cross site scripting

A user-supplied value is output Directly During installation Allowing a malicious user to craft a URL and Perform a cross-site scripting attack. The exploit can only be Conducted on sites not yet installed.

This Issue Affects Drupal 6.x only.

Open redirection

The API function drupal_goto () is susceptible to a phishing attack. Could an attacker made a redirect in a Way That gets the Drupal site to send the user to an arbitrarily Provided URL. No user submitted data will be sent to That URL.

This Issue Affects Drupal 5.x and 6.x.

Local module cross-site scripting

Local dependent Contributed modules and module do not sanitize the display of language codes, and Inglese native language names properly. While These Usually as from a preselected list, arbitrary administrator input is allowed. This vulnerability is mitigated by the fact That the attacker must have a role with the ‘Administer languages’ permission.

This Issue Affects Drupal 5.x and 6.x.

Blocked user session regeneration

Under Certain Circumstances, a user with an open session is blocked That Can Maintain his / her session on the Drupal site, Despi Being blocked.

This Issue Affects Drupal 5.x and 6.x.

Versions affected

• Drupal 6.x before version 6.16.
• Drupal 5.x before version 5.22.

Solution

Install the latest version:

• If you are running Drupal 6.x then upgrade to Drupal 6.16 .
• If you are running Drupal 5.x then upgrade to Drupal 5.22 .

Drupal 5 will no Longer be maintained When Drupal 7 is released . Upgrading to Drupal 6 is recommended.

If you are unable to upgrade Immediately, you can apply a patch to secure your installation until you are Able to do a proper upgrade. These patches fix the security vulnerabilities, But Do Not Contain other fixes released in Which Were Drupal Drupal 6.16 or 5.22.

• To patch Drupal 6.15 use SA-CORE-2010-001-6.15.patch .
• To patch Drupal 5.21 use SA-CORE-2010-001-5.21.patch .

Reported by

The installation cross site scripting issue Was Reported by David Rothstein (*).
The console redirection Was Reported by Martin Barbella .
The local module cross-site scripting Was Reported by Justin Klein Keane .
The blocked user session regeneration issue Was Reported by Craig A. Hancock .

(*) Member of the Drupal security team.

Fixed by

The installation cross site scripting issue Was fixed by Heine Deelstra .
The console redirection Was fixed by Gerhard Killesreiter and Heine Deelstra .
The local module cross-site scripting Was fixed by Stéphane Corlosquet , Peter Wolanin , Heine Deelstra and Neil Drumm .
The blocked user session regeneration issue Was fixed by Gerhard Killesreiter .

Were All the fixes done by members of the Drupal security team.

Contact

The security team for Drupal can be Reached at security at drupal.org or via the form at http://drupal.org/contact .