Closed
Bug 469031
Opened 16 years ago
Closed 16 years ago
SA-2008-073 - Drupal core - Multiple vulnerabilities
Categories
(Infrastructure & Operations Graveyard :: WebOps: Other, task)
Infrastructure & Operations Graveyard
WebOps: Other
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: abuchanan, Assigned: chizu)
References
Details
This includes... spreadfirefox.com Kubla Headrush QMO 1 & 2 ------------SA-2008-073 - DRUPAL CORE - MULTIPLE VULNERABILITIES------------ * Advisory ID: DRUPAL-SA-2008-073 * Project: Drupal core * Versions: 5.x and 6.x * Date: 2008-December-10 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities ------------DESCRIPTION------------ Multiple vulnerabilities and weaknesses were discovered in Drupal. CROSS SITE REQUEST FORGERY The update system is vulnerable to Cross site request forgeries [ http://en.wikipedia.org/wiki/Csrf ]. Malicious users may cause the superuser (user 1) to execute old updates that may damage the database. CROSS SITE SCRIPTING When an input format is deleted, not all existing content on a site is updated to reflect this deletion. Such content is then displayed unfiltered. This may lead to cross site scripting [ http://en.wikipedia.org/wiki/Cross-site_scripting ] attacks when harmful tags are no longer stripped from 'malicious' content that was posted earlier. ------------VERSIONS AFFECTED------------ * Drupal 5.x before version 5.13 * Drupal 6.x before version 6.7 ------------SOLUTION------------ Install the latest version: * If you are running Drupal 5.x then upgrade to Drupal 5.13 [ http://ftp.drupal.org/files/projects/drupal-5.13.tar.gz ]. * If you are running Drupal 6.x then upgrade to Drupal 6.7 [ http://ftp.drupal.org/files/projects/drupal-6.7.tar.gz ]. Note: the robots.txt and .htaccess files have changed and need to be replaced. The settings.php file has not been changed and can be left as it was if upgrading from the current version of Drupal. If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions. * To patch Drupal 5.12 use SA-2008-073-5.12.patch [ http://drupal.org/files/sa-2008-073/SA-2008-073-5.12.patch ]. * To patch Drupal 6.6 use SA-2008-073-6.6.patch [ http://drupal.org/files/sa-2008-073/SA-2008-073-6.6.patch ]. ------------REPORTED BY------------ Both issues were reported by David Rothstein (David_Rothstein [ http://drupal.org/user/124982 ]). ------------CONTACT------------ The security team for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ].
Comment 1•16 years ago
|
||
Thanks Alex... I was just about to log a bug on this. We need to move the QMO2 code to production as well, so will be creating that bug as well. Hopefully we can do both an update the SVN with the security patch and also tag it for production in one shot.
Comment 2•16 years ago
|
||
Filed bug 469035 for QMO2 push to production after this bug is resolved and tested on authstage.
Reporter | ||
Comment 3•16 years ago
|
||
applied updates - spreadfirefox - r20727 - kubla - r20728 - headrush - r20729 - qmo 1 & 2 - r20730 tagged for production - spreadfirefox - r20732 - headrush - r20733 - kubla - r20734 push to production for QMO 1 & 2 will happen with bug 469035 per comment #2 IT, could you please svn up spreadfirefox, headrush, and kubla and run updates.php, please? Thanks
Assignee: buchanae → server-ops
Component: Other → Server Operations: Web Content Push
Product: Websites → mozilla.org
QA Contact: other → mrz
Version: unspecified → other
Comment 5•16 years ago
|
||
Thanks Alex!
Reporter | ||
Comment 6•16 years ago
|
||
lowering severity so this doesn't page on-call at 2am
Severity: critical → major
Updated sfx, kubla, and headrush and ran update.php.
Assignee: server-ops → thardcastle
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Comment 9•16 years ago
|
||
Alex: Did Drupal pull a firedrill and release another update? The staged QMO2 site doesn't appear to be updated... it's showing 6.6 (and there are 2 updates shown as available): Drupal 6.6 Recommended version: 6.8 (2008-Dec-11) * Download * Release notes Security update: 6.7 (2008-Dec-10) * Download * Release notes Includes: Block, Blog, Book, Color, Comment, Contact, Database logging, Filter, Forum, Help, Locale, Menu, Node, OpenID, PHP filter, Path, Profile, Search, Statistics, System, Taxonomy, Tracker, Trigger, Update status, Upload, User
Reporter | ||
Comment 10•16 years ago
|
||
chizu, can you make sure the QMO2 stage site is up-to-date? Also, is it svn up'ing automatically via cron?
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 11•16 years ago
|
||
quality.authstage.mozilla.com using http://svn.mozilla.org/projects/quality.mozilla.org/branches/qmo2 at revision 20791 (20730 is the last change) automatically updated every ten minutes.
Comment 12•16 years ago
|
||
(In reply to comment #11) > quality.authstage.mozilla.com using > http://svn.mozilla.org/projects/quality.mozilla.org/branches/qmo2 at revision > 20791 (20730 is the last change) automatically updated every ten minutes. This sounds like the code is up to date in SVN, but if it's not showing up on authstage, what could be the problem? Is the sync/update every 10 minutes not working?
Assignee | ||
Comment 13•16 years ago
|
||
It's updating, I pulled that information from the checked out copy and made sure that's the vhost serving quality.authstage.
Reporter | ||
Comment 14•16 years ago
|
||
I applied any differences between Drupal 6.8 core code and the qmo2 branch. That should bring it up to date and the version number should update. Please test to make sure that the core code changes didn't break any custom functionality you've coded into QMO2 Thanks
Comment 15•16 years ago
|
||
Thanks Alex. Stephend and I are testing authstage QMO2 now. We'll report back if we see any issues.
I think we're fine; testing account log in, log out, and forum posts.
Comment 17•16 years ago
|
||
marking r.fixed. authstage is looking good after alex's drupal update.
Status: REOPENED → RESOLVED
Closed: 16 years ago → 16 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
Component: Server Operations: Web Operations → WebOps: Other
Product: mozilla.org → Infrastructure & Operations
Updated•5 years ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•