=====================================================================

                           CERT-Renater

               Note d'Information No. 2013/VULN522
_____________________________________________________________________

DATE                : 20/11/2013

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Drupal core versions 6.x, 7.x
                           prior to 6.29, 7.24.

======================================================================
https://drupal.org/SA-CORE-2013-003
______________________________________________________________________

- --------------------------BEGIN INCLUDED TEXT--------------------

   * Advisory ID: DRUPAL-SA-CORE-2013-003
   * Project: Drupal core [1]
   * Version: 6.x, 7.x
   * Date: 2013-November-20
   * Security risk: Highly critical [2]
   * Exploitable from: Remote
   * Vulnerability: Multiple vulnerabilities

- -------- DESCRIPTION
---------------------------------------------------------

Multiple vulnerabilities were fixed in the supported Drupal core
versions 6 and 7.


.... Multiple vulnerabilities due to optimistic cross-site request
forgery protection (Form API validation - Drupal 6 and 7)

Drupal's form API has built-in cross-site request forgery (CSRF)
validation, and also allows any module to perform its own validation on
the form.  In certain common cases, form validation functions may
execute unsafe operations.  Given that the CSRF protection is an
especially important validation, the Drupal core form API has been
changed in this release so that it now skips subsequent validation if
the CSRF validation fails.

This vulnerability is mitigated by the fact that a form validation
callback with potentially unsafe side effects must be active on the
site, and none exist in core. However, issues were discovered in
several popular contributed modules which allowed remote code execution
that made it worthwhile to fix this issue in core. Other similar issues
with varying impacts are likely to have existed in other contributed
modules and custom modules and therefore will also be fixed by this
Drupal core release.


.... Multiple vulnerabilities due to weakness in pseudorandom number
       generation using mt_rand() (Form API, OpenID and random password
       generation - Drupal 6 and 7)

Drupal core directly used the mt_rand() pseudorandom number generator
for generating security related strings used in several core modules.
It was found that brute force tools could determine the seeds making
these strings predictable under certain circumstances.

This vulnerability has no mitigation; all Drupal sites are affected
until the security update has been applied.


.... Code execution prevention (Files directory .htaccess for Apache -
Drupal 6 and 7)

Drupal core attempts to add a "defense in depth" protection to prevent
script execution by placing a .htaccess file into the files directories
that stops execution of PHP scripts on the Apache web server. This
protection is only necessary if there is a vulnerability on the site or
on a server that allows users to upload malicious files. The
configuration in the .htaccess file did not prevent code execution on
certain Apache web server configurations. This release includes new
configuration to prevent PHP execution on several additional common
Apache configurations. If you are upgrading a site and the site is run
by Apache you must fix the file manually, as described in the
"Solution" section below.

This vulnerability is mitigated by the fact it only relates to a
defense in depth mechanism, and sites would only be vulnerable if they
are hosted on a server which contains code that does not use
protections similar to those found in Drupal's file API to manage
uploads in a safe manner.


.... Access bypass (Security token validation - Drupal 6 and 7)

The function drupal_valid_token() can return TRUE for invalid tokens if
the caller does not make sure that the token is a string.

This vulnerability is mitigated by the fact that a contributed or custom
module must invoke drupal_validate_token() with an argument that can be
manipulated to not be a string by an attacker. There is currently no
known core or contributed module that would suffer from this
vulnerability.


.... Cross-site scripting (Image module - Drupal 7)

Image field descriptions are not properly sanitized before they are
printed to HTML, thereby exposing a cross-site scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a
permission to administer field descriptions, for example the "administer
taxonomy" permission to edit fields on taxonomy terms.


.... Cross-site scripting (Color module - Drupal 7)

A cross-site scripting vulnerability was found in the Color module. A
malicious attacker could trick an authenticated administrative user into
visiting a page containing specific JavaScript that could lead to a
reflected cross-site scripting attack via JavaScript execution in CSS.

This vulnerability is mitigated by the fact that it can only take place
in older browsers, and in a restricted set of modern browsers, namely
Opera through user interaction, and Internet Explorer under certain
conditions.


.... Open redirect (Overlay module - Drupal 7)

The Overlay module displays administrative pages as a layer over the
current page (using JavaScript), rather than replacing the page in the
browser window. The Overlay module did not sufficiently validate URLs
prior to displaying their contents, leading to an open redirect
vulnerability.

This vulnerability is mitigated by the fact that it can only be used
against site users who have the "Access the administrative overlay"
permission.


- -------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [3] will be requested, and added upon issuance,
in accordance with Drupal Security Team processes./

- -------- VERSIONS AFFECTED
---------------------------------------------------


   * Drupal core 6.x versions prior to 6.29.
   * Drupal core 7.x versions prior to 7.24.


- -------- SOLUTION
------------------------------------------------------------


Install the latest version:

   * If you use Drupal 6.x, upgrade to Drupal core 6.29 [4].
   * If you use Drupal 7.x, upgrade to Drupal core 7.24 [5].


- -------- WARNING: FIXING THE CODE EXECUTION PREVENTION MAY REQUIRE
SERVER CONFIGURATION; PLEASE READ: -----------------------------------------


To fix the code execution prevention vulnerability on existing Apache
installations also requires changes to your site's .htaccess files in
the files directories. Until you do this, your site's status report
page at admin/reports/status will display error messages about the
problem. Please note that if you are using a different web server such
as Nginx the .htaccess files have no effect and you need to configure
PHP execution protection yourself in the respective server
configuration files.

To fix this issue, you must edit or replace the old .htaccess files
manually.

    Copies of the .htaccess files are found in the public files
directory and temporary files directory, and (for Drupal 7 only) the
private files directory if your site is configured to use one.  To find
the location of these directories, consult the error messages at
admin/reports/status, or visit the file system configuration page at
admin/settings/file-system (Drupal 6) or admin/config/media/file-system
(Drupal 7).

Go onto your server, navigate to each directory, and replace or create
the .htaccess file in this directory with the contents described below.
Alternatively, you can remove the .htaccess file from each directory
using a tool like SFTP and then visit the file system configuration page
(admin/settings/file-system in Drupal 6 or
admin/config/media/file-system in Drupal 7) and click the save button to
have Drupal create the
file automatically.

The recommended .htaccess file contents are as follows.

# Turn off all options we don't need.
Options None
Options +FollowSymLinks

# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006

     # Override the handler again if we're run later in the evaluation list.
     SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003


# If we know how to do it safely, disable the PHP engine entirely.

     php_flag engine off

# PHP 4, Apache 1.

     php_flag engine off

# PHP 4, Apache 2.

     php_flag engine off



For Drupal 7:


# Turn off all options we don't need.
Options None
Options +FollowSymLinks

# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006

     # Override the handler again if we're run later in the evaluation list.
     SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003


# If we know how to do it safely, disable the PHP engine entirely.

     php_flag engine off

Also see the Drupal core [6] project page.


- -------- REPORTED BY
---------------------------------------------------------

   * The form validation cross-site request forgery issue was reported
by Heine Deelstra [7] of the Drupal Security Team.
   * The non-random seed vulnerability was reported by David Stoline [8]
of the Drupal Security Team.
   * The code execution prevention vulnerability was reported by Lee
Rowlands    [9] of the Drupal Security Team, Miguel Jacq [10],
artfulrobot [11], and Dave Fletcher [12].
   * The token access bypass issue was reported by Heine Deelstra [13]
of the Drupal Security Team.
   * The Image module cross-site scripting issue was reported by
Francisco José Cruz Romanos [14].
   * The Color module cross-site scripting issue was reported by Mauro
Gentile [15].
   * The open redirect in the Overlay module was reported by Stephane
     Corlosquet [16] of the Drupal Security Team, and by Sebastian Nerz.

- -------- FIXED BY
------------------------------------------------------------


   * The form validation cross-site request forgery issue was fixed by
Lee Rowlands [17] and Klaus Purer [18], both of the Drupal Security Team.
   * The non-random seed vulnerability was fixed by Owen Barton [19],
David Stoline [20], Heine Deelstra [21], Damien Tournoud [22], and
Peter Wolanin [23], all of the Drupal Security Team.
   * The code execution prevention vulnerability was fixed by David
Rothstein [24] of the Drupal Security Team, Morbus Iff [25] of the
Drupal Security Team, Dan Reif [26], Antoine Beaupré [27], Miguel
Jacq [28], Christopher Gervais [29], and Herman van Rink [30].
   * The token access bypass issue was fixed by Heine Deelstra [31],
Klaus Purer [32], and David Rothstein [33], all of the Drupal Security Team.
   * The Image module cross-site scripting issue was fixed by Francisco
José Cruz Romanos [34], and Peter Wolanin [35] of the Drupal Security
Team.
   * The Color module cross-site scripting issue was fixed by David
Rothstein [36] of the Drupal Security Team.
   * The open redirect in the Overlay module was fixed by Heine Deelstra
[37] of the Drupal Security Team.


- -------- COORDINATED BY
------------------------------------------------------


The Drupal Security Team [38]


- -------- CONTACT AND MORE INFORMATION
----------------------------------------


The Drupal security team can be reached at security at drupal.org or
via the contact form at http://drupal.org/contact [39].

Learn more about the Drupal Security team and their policies [40],
writing secure code for Drupal [41], and securing your site [42].


[1] http://drupal.org/project/drupal
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/drupal-6.29-release-notes
[5] http://drupal.org/drupal-7.24-release-notes
[6] http://drupal.org/project/drupal
[7] https://drupal.org/user/17943
[8] https://drupal.org/user/329570
[9] https://drupal.org/user/395439
[10] https://drupal.org/user/153206
[11] https://drupal.org/user/1206300
[12] https://drupal.org/user/72475
[13] https://drupal.org/user/17943
[14] https://drupal.org/user/848238
[15] https://drupal.org/user/1862060
[16] https://drupal.org/user/52142
[17] https://drupal.org/user/395439
[18] https://drupal.org/user/262198
[19] https://drupal.org/user/19668
[20] https://drupal.org/user/329570
[21] https://drupal.org/user/17943
[22] https://drupal.org/user/22211
[23] https://drupal.org/user/49851
[24] https://drupal.org/user/124982
[25] https://drupal.org/user/9034
[26] https://drupal.org/user/454444
[27] https://drupal.org/user/1274
[28] https://drupal.org/user/153206
[29] https://drupal.org/user/368613
[30] https://drupal.org/user/449000
[31] https://drupal.org/user/17943
[32] https://drupal.org/user/262198
[33] https://drupal.org/user/124982
[34] https://drupal.org/user/848238
[35] https://drupal.org/user/49851
[36] https://drupal.org/user/124982
[37] https://drupal.org/user/17943
[38] https://drupal.org/security-team
[39] http://drupal.org/contact
[40] http://drupal.org/security-team
[41] http://drupal.org/writing-secure-code
[42] http://drupal.org/security/secure-configuration

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================