469031 - SA-2008-073 - Drupal core - Multiple vulnerabilities

Status: RESOLVED FIXED

(Infrastructure & Operations Graveyard :: WebOps: Other, task)

Description

[Alex Buchanan [:abuchanan]]

This includes...
spreadfirefox.com
Kubla
Headrush
QMO 1 & 2


------------SA-2008-073 - DRUPAL CORE - MULTIPLE VULNERABILITIES------------

 * Advisory ID: DRUPAL-SA-2008-073

 * Project: Drupal core

 * Versions: 5.x and 6.x

 * Date: 2008-December-10

 * Security risk: Moderately Critical

 * Exploitable from: Remote

 * Vulnerability: Multiple vulnerabilities

------------DESCRIPTION------------

Multiple vulnerabilities and weaknesses were discovered in Drupal.

CROSS SITE REQUEST FORGERY

The update system is vulnerable to Cross site request forgeries [
http://en.wikipedia.org/wiki/Csrf ]. Malicious users may cause the superuser
(user 1) to execute old updates that may damage the database.

CROSS SITE SCRIPTING

When an input format is deleted, not all existing content on a site is updated
to reflect this deletion. Such content is then displayed unfiltered. This may
lead to cross site scripting [ http://en.wikipedia.org/wiki/Cross-site_scripting
] attacks when harmful tags are no longer stripped from 'malicious' content that
was posted earlier.

------------VERSIONS AFFECTED------------

 * Drupal 5.x before version 5.13

 * Drupal 6.x before version 6.7

------------SOLUTION------------

Install the latest version:

 * If you are running Drupal 5.x then upgrade to Drupal 5.13 [
http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz ].

 * If you are running Drupal 6.x then upgrade to Drupal 6.7 [
http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz ].

Note: the robots.txt and .htaccess files have changed and need to be replaced.
The settings.php file has not been changed and can be left as it was if
upgrading from the current version of Drupal.

If you are unable to upgrade immediately, you can apply a patch to secure your
installation until you are able to do a proper upgrade. The patches fix security
vulnerabilities, but do not contain other fixes which were released in these
versions.

 * To patch Drupal 5.12 use SA-2008-073-5.12.patch [
http://drupal.org/files/sa-2008-073/SA-2008-073-5.12.patch ].

 * To patch Drupal 6.6 use SA-2008-073-6.6.patch [
http://drupal.org/files/sa-2008-073/SA-2008-073-6.6.patch ].

------------REPORTED BY------------

Both issues were reported by David Rothstein (David_Rothstein [
http://drupal.org/user/124982 ]).

------------CONTACT------------

The security team for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].

Comment 1

[Jay Patel [:jay]]

Thanks Alex... I was just about to log a bug on this.  We need to move the QMO2 code to production as well, so will be creating that bug as well.  Hopefully we can do both an update the SVN with the security patch and also tag it for production in one shot.

Comment 2

[Jay Patel [:jay]]

Filed bug 469035 for QMO2 push to production after this bug is resolved and tested on authstage.

Comment 3

[Alex Buchanan [:abuchanan]]

applied updates
- spreadfirefox - r20727
- kubla - r20728
- headrush - r20729
- qmo 1 & 2 - r20730

tagged for production
- spreadfirefox - r20732
- headrush - r20733
- kubla - r20734

push to production for QMO 1 & 2 will happen with bug 469035 per comment #2

IT, could you please svn up spreadfirefox, headrush, and kubla and run updates.php, please?

Thanks

Comment 5

[Wil Clouser [:clouserw]]

Thanks Alex!

Comment 6

[Alex Buchanan [:abuchanan]]

lowering severity so this doesn't page on-call at 2am

Comment 8

[chizu]

Updated sfx, kubla, and headrush and ran update.php.

Comment 9

[Jay Patel [:jay]]

Alex:  Did Drupal pull a firedrill and release another update?  The staged QMO2 site doesn't appear to be updated... it's showing 6.6 (and there are 2 updates shown as available):


Drupal 6.6
Recommended version: 	6.8 (2008-Dec-11) 	

    * Download
    * Release notes

Security update: 	6.7 (2008-Dec-10) 	

    * Download
    * Release notes

Includes: Block, Blog, Book, Color, Comment, Contact, Database logging, Filter, Forum, Help, Locale, Menu, Node, OpenID, PHP filter, Path, Profile, Search, Statistics, System, Taxonomy, Tracker, Trigger, Update status, Upload, User

Comment 10

[Alex Buchanan [:abuchanan]]

chizu, can you make sure the QMO2 stage site is up-to-date?  

Also, is it svn up'ing automatically via cron?

Comment 11

[chizu]

quality.authstage.mozilla.com using http://svn.mozilla.org/projects/quality.mozilla.org/branches/qmo2 at revision 20791 (20730 is the last change) automatically updated every ten minutes.

Comment 12

[Jay Patel [:jay]]

(In reply to comment #11)
> quality.authstage.mozilla.com using
> http://svn.mozilla.org/projects/quality.mozilla.org/branches/qmo2 at revision
> 20791 (20730 is the last change) automatically updated every ten minutes.

This sounds like the code is up to date in SVN, but if it's not showing up on authstage, what could be the problem?   Is the sync/update every 10 minutes not working?

Comment 13

[chizu]

It's updating, I pulled that information from the checked out copy and made sure that's the vhost serving quality.authstage.

Comment 14

[Alex Buchanan [:abuchanan]]

I applied any differences between Drupal 6.8 core code and the qmo2 branch.  That should bring it up to date and the version number should update.

Please test to make sure that the core code changes didn't break any custom functionality you've coded into QMO2

Thanks

Comment 15

[Jay Patel [:jay]]

Thanks Alex.  Stephend and I are testing authstage QMO2 now.  We'll report back if we see any issues.

Comment 16

[Stephen Donner [:stephend] Not actively reading bugmail]

I think we're fine; testing account log in, log out, and forum posts.

Comment 17

[Jay Patel [:jay]]

marking r.fixed.  authstage is looking good after alex's drupal update.