=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2007/VULN379
_____________________________________________________________________

DATE                      : 04/10/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Boost module for DRUPAL.

======================================================================

- ------------SA-2007-022 - BOOST - FILE OVERWRITE------------

   * Advisory ID: DRUPAL-SA-2007-022.

   * Project: Boost (third-party module)

   * Version: 4.7.x-1.*, 5.x-0.*

   * Date: 2007-10-03

   * Security risk: Critical

   * Exploitable from: Remote

   * Vulnerability: Filesystem overwrite

- ------------DESCRIPTION------------

The Boost [ http://drupal.org//project/boost ] module provides a static
file-based cache of Drupal pages for anonymous users.  A vulnerability 
allows an
attacker to create or overwrite any filename in any directory that the web
server can write to.  The affected file will always contain the fully 
rendered
HTML for a single Drupal page; the attacker cannot control the content 
of the
affected file in any other way.

As an example, since most Drupal web servers have write access to the Drupal
installation directory, the attacker could replace Drupal's index.php 
with the
HTML of another page from the same site of his choosing, causing /every/ 
page
from the attacked site to appear like the chosen page.

- ------------VERSIONS AFFECTED------------

   * 5.x:

   * Boost before version 5.x-1.0

   * 4.7.x:

   * Boost before version 4.7.x-1.0

Drupal core is not affected. If you do not use the contributed Boost module,
there is nothing you need to do.

- ------------SOLUTION------------

Install the latest version:

   * 5.x:

   * Boost 5.x-1.0 [ http://drupal.org//node/179811 ]

   * 4.7.x:

   * Boost 4.7.x-1.0 [ http://drupal.org//node/179810 ]

- ------------REPORTED BY------------

Barry Jaspan [ http://drupal.org/user/46413 ] of the Drupal security team.

- ------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org 
or via
the form at [ http://drupal.org/contact ].

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================