=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2008/VULN412
_____________________________________________________________________

DATE                      : 09/10/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running DRUPAL CORE.

======================================================================
http://drupal.org/node/318706
______________________________________________________________________
- ------------SA-2008-060 - DRUPAL CORE - MULTIPLE
VULNERABILITIES------------

  * Advisory ID: DRUPAL-SA-2008-060

  * Project: Drupal core

  * Versions: 5.x and 6.x

  * Date: 2008-October-8

  * Security risk: Critical

  * Exploitable from: Remote

  * Vulnerability: Multiple vulnerabilities

- ------------DESCRIPTION------------

Multiple vulnerabilities and weaknesses were discovered in Drupal.

- ------------FILE UPLOAD ACCESS BYPASS------------

A logic error in the core upload module validation allowed unprivileged
users to attach files to content. This bug affects Drupal 6.x only.

Users can view files attached to content which they do not otherwise
have access to. This bug affects Drupal 5.x only.

If the core upload module is not enabled, your site will not be
affected.

- ------------ACCESS RULES BYPASS------------

A deficiency in the user module allowed users who had been blocked by
access rules to continue logging into the site under certain conditions.

If you do not use the 'access rules' functionality in core, your site
will not be affected.

This bug affects both Drupal 5.x and Drupal 6.x.

- ------------BLOGAPI ACCESS BYPASS------------

The BlogAPI module does not implement correct validation for certain
content fields, allowing for values to be set for fields which would
otherwise be inaccessible on an internal Drupal form. We have hardened
these checks in BlogAPI module for this release, but the security team
would like to re-iterate that the 'Administer content with BlogAPI'
permission should only be given to trusted users.

If the core BlogAPI module is not enabled, your site will not be
affected.

This bug affects both Drupal 5.x and Drupal 6.x.

- ------------NODE VALIDATION BYPASS------------

A weakness in the node module API [
http://api.drupal.org/api/function/hook_nodeapi ] allowed for node
validation to be bypassed in certain circumstances for contributed
modules implementing the API. Additional checks have been added to
ensure that validation is performed in all cases. This vulnerability
only affects sites using one of a very small number of contributed
modules, all of which will continue to work correctly with the improved
API. None of them were found vulnerable, so our correction is a
preventative measure.

This bug affects Drupal 5.x only.

- ------------VERSIONS AFFECTED------------

  * Drupal 5.x before version 5.11

  * Drupal 6.x before version 6.5

- ------------SOLUTION------------

Install the latest version:

  * If you are running Drupal 5.x then upgrade to Drupal 5.11 [
http://ftp.drupal.org/files/projects/drupal-5.11.tar.gz ].

  * If you are running Drupal 6.x then upgrade to Drupal 6.5 [
http://ftp.drupal.org/files/projects/drupal-6.5.tar.gz ].

Note: the settings.php, robots.txt and .htaccess files have not changed
and can be left as they are if upgrading from the current version of
Drupal.

If you are unable to upgrade immediately, you can apply a patch to
secure your installation until you are able to do a proper upgrade. The
patches fix security vulnerabilities, but do not contain other fixes
which were released in these versions.

  * To patch Drupal 5.10 use SA-2008-060-5.10.patch [
http://drupal.org/files/sa-2008-060/SA-2008-060-5.10.patch ].

  * To patch Drupal 6.4 use SA-2008-047-6.4.patch [
http://drupal.org/files/sa-2008-060/SA-2008-060-6.4.patch ].

- ------------REPORTED BY------------

  * The upload module flaw was reported by Damien Tournoud [
http://drupal.org/user/22211 ]*

  * The access rules bypass was reported by jry2000 [
http://drupal.org/user/124456 ] and Stéphane Corlosquet [
http://drupal.org/user/52142 ]*

  * The BlogAPI vulnerability was reported by Caleb Delnay [
http://drupal.org/user/115182 ], Gábor Hojtsy [
http://drupal.org/user/4166 ]*
and Heine Deelstra [ http://drupal.org/user/17943 ]*

  * The node modules vulnerability was reported by Derek Wright [
http://drupal.org/user/46549 ]*

Names marked with asterisk are members of the Drupal security team [
http://drupal.org/security-team ].

- ------------CONTACT------------

The security team for Drupal can be reached at security at drupal.org or
via the form at [ http://drupal.org/contact ].

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================