Package: drupal
Version: 4.5.3-3
Severity: normal
----------------------------------------------------------------------------
Drupal security advisory
DRUPAL-SA-2005-004
----------------------------------------------------------------------------
Advisory ID: DRUPAL-SA-2005-004
Date: 2005-aug-15
CVE ID: CAN-2005-2498
Security risk: highly critical
Impact: system access
Where: from remote
Vulnerability: arbitrary PHP code execution
----------------------------------------------------------------------------
Description
-----------
Stefan Esser of the Hardened-PHP Project reported a serious
vulnerablility
in the third-party XML-RPC library included with some Drupal versions.
An
attacker could execute arbitrary PHP code on a target site.
Versions affected
-----------------
Drupal 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4
Drupal 4.6.0, 4.6.1, 4.6.2
Drupal HEAD is not affected, as the XML-RPC library has been replaced by
a
different one.
Solution
--------
- If you cannot upgrade immediately, you can secure your site by
removing
the XML-RPC server: simply remove the file 'xmlrpc.php' in the root of
your Drupal directory.
- If you are running Drupal 4.5.x, then upgrade to Drupal 4.5.5.
- If you are running Drupal 4.6.x, then upgrade to Drupal 4.6.3.
Timeline
--------
- Fri, 12 Aug 2005 21:15: Stefan Esser reports the vulnerability to
Drupal and
other PHP projects using the XML-RPC library.
He plans a coordinated release of all affected
projects for next week.
- Sun, 14 Aug 2005 22:40: Stefan Esser reports that the coordinated
release
is spoiled because information about the
security
issue was leaked to the public.
- Sun, 14 Aug 2005 23:38: The Drupal Security Team starts coordinated
work on
a new release via the security mailing list
and IRC.
- Mon, 15 Aug 2005 03:45: Updated Drupal 4.6.3 and Drupal 4.5.5 are
released.
Contact
-------
The security contact for Drupal can be reached at [EMAIL PROTECTED]
or using the form at http://drupal.org/contact.
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.29-bf2.4
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)
Versions of packages drupal depends on:
ii apache 1.3.33-6 versatile, high-performance HTTP s
ii apache-ssl 1.3.33-6 versatile, high-performance HTTP s
ii apache2 2.0.54-4 next generation, scalable, extenda
ii apache2-mpm-prefork [apache2 2.0.54-4 traditional model for Apache2
ii debconf 1.4.30.13 Debian configuration management sy
ii makepasswd 1.10-2 Generate and encrypt passwords
ii mysql-client [virtual-mysql- 4.0.24-10 mysql database client binaries
ii php4-cli 4:4.3.10-15 command-line interpreter for the p
ii php4-mysql 4:4.3.10-15 MySQL module for php4
ii postfix [mail-transport-agen 2.1.5-9 A high-performance mail transport
ii wwwconfig-common 0.0.43 Debian web auto configuration
-- debconf information excluded
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
