=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN008
_____________________________________________________________________

DATE                      : 15/01/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Drupal core.

======================================================================
http://drupal.org/node/208562
http://drupal.org/node/208564
http://drupal.org/node/208565
______________________________________________________________________

- ------------
SA-2008-005 - DRUPAL CORE - CROSS SITE REQUEST FORGERY------------

   * Advisory ID: DRUPAL-SA-2008-005

   * Project: Drupal core

   * Version: 4.7.x, 5.x

   * Date: 2008-January-10

   * Security risk: Less critical

   * Exploitable from: Remote

   * Vulnerability: Cross site request forgery

- ------------DESCRIPTION------------

The aggregator module fetches items from RSS feeds and makes them
available on the site. The module provides an option to remove items
from a particular feed.
This has been implemented as a simple GET request and is therefore
vulnerable to cross site request forgeries. For example: Should a
privileged user view a page containing an  tag with a specially
constructed src pointing to a remove items URL, the items would be
removed.

- ------------VERSIONS AFFECTED------------

   * Drupal 4.7.x before version 4.7.11.

   * Drupal 5.x before version 5.6.

- ------------SOLUTION------------

Install the latest version:

   * If you are running Drupal 4.7.x then upgrade to Drupal 4.7.11 [
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz ].

   * If you are running Drupal 5.x then upgrade to Drupal 5.6 [
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz ].

If you are unable to upgrade immediately, you can apply a patch to 
secure your
installation until you are able to do a proper upgrade.

   * To patch Drupal 4.7.10 use SA-2008-005-4.7.10.patch [
http://drupal.org/files/sa-2008-005/SA-2008-005-4.7.10.patch ].

   * To patch Drupal 5.5 use SA-2008-005-5.5.patch [
http://drupal.org/files/sa-2008-005/SA-2008-005-5.5.patch ].

- ------------REPORTED BY------------

The Drupal security team.

- ------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org 
or via
the form at [ http://drupal.org/contact ].
_____________________________________________________________________________

- ------------SA-2008-006 - DRUPAL CORE - CROSS SITE SCRIPTING 
(UTF8)------------

   * Advisory ID: DRUPAL-SA-2008-006

   * Project: Drupal core

   * Version: 4.7.x, 5.x

   * Date: 2008-January-10

   * Security risk: Moderately critical

   * Exploitable from: Remote

   * Vulnerability: Cross site scripting

- ------------DESCRIPTION------------

When outputting plaintext Drupal strips potentially dangerous HTML tags
and attributes from HTML, and escapes characters which have a special
meaning in HTML. This output filtering secures the site against cross
site scripting attacks via user input.

Certain byte sequences that are invalid in the UTF8 specification are
not handled properly by Internet Explorer 6 and may lead it to see a
multibyte start character where none is present. Internet Explorer 6
then consumes a number of subsequent UTF-8 characters. This may lead to
unsafe attributes that were outside a tag for the filter to appear
inside a tag for Internet Explorer 6.
This behaviour can then be used to insert and execute javascript in the
context of the website.

Wikipedia has more information about cross site scripting [
http://en.wikipedia.org/wiki/Xss ] (XSS).

- ------------VERSIONS AFFECTED------------

   * Drupal 4.7.x before version 4.7.11.

   * Drupal 5.x before version 5.6.

- ------------SOLUTION------------

Install the latest version:

   * If you are running Drupal 4.7.x then upgrade to Drupal 4.7.11 [
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz ].

   * If you are running Drupal 5.x then upgrade to Drupal 5.6 [
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz ].

If you are unable to upgrade immediately, you can apply a patch to 
secure your
installation until you are able to do a proper upgrade.

   * To patch Drupal 4.7.10 use SA-2008-006-4.7.10.patch [
http://drupal.org/files/sa-2008-006/SA-2008-006-4.7.10.patch ].

   * To patch Drupal 5.5 use SA-2008-006-5.5.patch [
http://drupal.org/files/sa-2008-006/SA-2008-006-5.5.patch ].

- ------------IMPORTANT NOTE------------

Drupal 4.7.11 and 5.6 now require PHP 4.3.5 or higher as the minimum 
version.

Use of modules that purposely insert bytes that are invalid UTF-8
characters, such as GeSHi Filter [ 
http://drupal.org//project/geshifilter ] and Code Filter
[ http://drupal.org//project/codefilter ] will cause any text using the
filter to not be displayed. Disable the modules until a solution has
been found.

- ------------REPORTED BY------------

The vulnerability was discovered during an audit of Drupal core by
Stefan Esser, Mayflower GmbH and Zend.

The Drupal security team wants to thank Die Zeit [ http://www.zeit.de/
], who commissioned the audit, for sharing the results.

- ------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org
or via the form at [ http://drupal.org/contact ].

________________________________________________________________________


- ------------
SA-2008-007 - DRUPAL CORE - CROSS SITE SCRIPTING 
(REGISTER_GLOBALS)------------

   * Advisory ID: DRUPAL-SA-2008-007

   * Project: Drupal core

   * Version: 4.7.x, 5.x

   * Date: 2008-January-10

   * Security risk: Less critical

   * Exploitable from: Remote

   * Vulnerability: Cross site scripting when register_globals is enabled.

- ------------DESCRIPTION------------

When theme .tpl.php files are accessible via the web and the PHP setting
register_globals is set to enabled, anonymous users are able to execute
cross site scripting attacks via specially crafted links.

Drupals .htaccess attempts to set register_globals to disabled and also
prevents access to .tpl.php files. Only when both these measures are not
effective and your PHP interpreter is configured with register_globals
set to enabled, will this issue affect you.

- ------------VERSIONS AFFECTED------------

   * Drupal 4.7.x

   * Drupal 5.x

- ------------SOLUTIONS------------

   * Disable register_globals. Please refer to the PHP documentation [
http://www.php.net/configuration.changes ] on information how to
configure PHP.

   * Ensure .tpl.php files are not accessible via the web.

Drupal 4.7.11 and 5.6 will present a warning on the administration page
when register_globals is enabled. Drupal 5.6 will refuse installation on
an insecurely configured server. Existing sites will continue to work.

- ------------REPORTED BY------------

Ultra Security Research.

- ------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org
or via the form at [ http://drupal.org/contact ].

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================