[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050815023449.GA5115@aragorn>
Date: Mon Aug 15 03:34:58 2005
From: uwe at hermann-uwe.de (Uwe Hermann)
Subject: [DRUPAL-SA-2005-004] Drupal 4.6.3 / 4.5.5 fixes
critical XML-RPC issue
----------------------------------------------------------------------------
Drupal security advisory DRUPAL-SA-2005-004
----------------------------------------------------------------------------
Advisory ID: DRUPAL-SA-2005-004
Date: 2005-aug-15
CVE ID: CAN-2005-2498
Security risk: highly critical
Impact: system access
Where: from remote
Vulnerability: arbitrary PHP code execution
----------------------------------------------------------------------------
Description
-----------
Stefan Esser of the Hardened-PHP Project reported a serious vulnerablility
in the third-party XML-RPC library included with some Drupal versions. An
attacker could execute arbitrary PHP code on a target site.
Versions affected
-----------------
Drupal 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4
Drupal 4.6.0, 4.6.1, 4.6.2
Drupal HEAD is not affected, as the XML-RPC library has been replaced by a
different one.
Solution
--------
- If you cannot upgrade immediately, you can secure your site by removing
the XML-RPC server: simply remove the file 'xmlrpc.php' in the root of
your Drupal directory.
- If you are running Drupal 4.5.x, then upgrade to Drupal 4.5.5.
- If you are running Drupal 4.6.x, then upgrade to Drupal 4.6.3.
Timeline
--------
- Fri, 12 Aug 2005 21:15: Stefan Esser reports the vulnerability to Drupal and
other PHP projects using the XML-RPC library.
He plans a coordinated release of all affected
projects for next week.
- Sun, 14 Aug 2005 22:40: Stefan Esser reports that the coordinated release
is spoiled because information about the security
issue was leaked to the public.
- Sun, 14 Aug 2005 23:38: The Drupal Security Team starts coordinated work on
a new release via the security mailing list and IRC.
- Mon, 15 Aug 2005 03:45: Updated Drupal 4.6.3 and Drupal 4.5.5 are released.
Contact
-------
The security contact for Drupal can be reached at security@...pal.org
or using the form at http://drupal.org/contact.
// Uwe Hermann, on behalf of the Drupal Security Team.
--
Uwe Hermann <uwe@...mann-uwe.de>
http://www.hermann-uwe.de | http://www.crazy-hacks.org
http://www.it-services-uh.de | http://www.phpmeat.org
http://www.unmaintained-free-software.org | http://www.holsham-traders.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050815/35a3ec84/attachment.bin
Powered by blists - more mailing lists