In regards to the code exec; Ever heard of whitelisting ? Le 19 déc. 2012 14:39, <[email protected]> a écrit :
> View online: http://drupal.org/SA-CORE-2012-004 > > * Advisory ID: DRUPAL-SA-CORE-2012-004 > * Project: Drupal core [1] > * Version: 6.x, 7.x > * Date: 2012-December-19 > * Security risk: Moderately critical [2] > * Exploitable from: Remote > * Vulnerability: Access bypass, Arbitrary PHP code execution > > -------- DESCRIPTION > --------------------------------------------------------- > > Multiple vulnerabilities were fixed in the supported Drupal core versions 6 > and 7. > > .... Access bypass (User module search - Drupal 6 and 7) > > A vulnerability was identified that allows blocked users to appear in user > search results, even when the search results are viewed by unprivileged > users. > > This vulnerability is mitigated by the fact that the default Drupal core > user > search results only display usernames (and disclosure of usernames is not > considered a security vulnerability [3]). However, since modules or themes > may override the search results to display more information from each > user's > profile, this could result in additional information about blocked users > being disclosed on some sites. > > CVE: Requested. > > .... Access bypass (Upload module - Drupal 6) > > A vulnerability was identified that allows information about uploaded files > to be displayed in RSS feeds and search results to users that do not have > the > "view uploaded files" permission. > > This issue affects Drupal 6 only. > > CVE: Requested. > > .... Arbitrary PHP code execution (File upload modules - Drupal 6 and 7) > > Drupal core's file upload feature blocks the upload of many files that can > be > executed on the server by munging the filename. A malicious user could > name a > file in a manner that bypasses this munging of the filename in Drupal's > input > validation. > > This vulnerability is mitigated by several factors: The attacker would need > the permission to upload a file to the server. Certain combinations of PHP > and filesystems are not vulnerable to this issue, though we did not perform > an exhaustive review of the supported PHP versions. Finally: the server > would > need to allow execution of files in the uploads directory. Drupal core has > protected against this with a .htaccess file protection in place from > SA-2006-006 - Drupal Core - Execution of arbitrary files in certain Apache > configurations [4]. Users of IIS should consider updating their web.config > [5]. Users of Nginx should confirm that only the index.php and other known > good scripts are executable. Users of other webservers should review their > configuration to ensure the goals are achieved in some other way. > > CVE: Requested. > > > -------- CVE IDENTIFIER(S) ISSUED > -------------------------------------------- > > * /A CVE identifier [6] will be requested, and added upon issuance, in > accordance with Drupal Security Team processes./ > > -------- VERSIONS AFFECTED > --------------------------------------------------- > > * Drupal core 6.x versions prior to 6.27. > * Drupal core 7.x versions prior to 7.18. > > -------- SOLUTION > ------------------------------------------------------------ > > Install the latest version: > > * If you use Drupal 6.x, upgrade to Drupal core 6.27 [7]. > * If you use Drupal 7.x, upgrade to Drupal core 7.18 [8]. > > Also see the Drupal core [9] project page. > > -------- REPORTED BY > --------------------------------------------------------- > > * The access bypass issue in the User module search results was reported > by > Derek Wright [10] of the Drupal Security Team. > * The access bypass issue in the Drupal 6 Upload module was reported by > Simon Rycroft [11], and by Damien Tournoud [12] of the Drupal Security > Team. > * The arbitrary code execution issue was reported by Amit Asaravala [13]. > > -------- FIXED BY > ------------------------------------------------------------ > > * The access bypass issue in the User module search results was fixed by > Derek Wright [14], Ivo Van Geertruyen [15], Peter Wolanin [16], and > David > Rothstein [17], all members of the Drupal Security Team. > * The access bypass issue in the Drupal 6 Upload module was fixed by > Michaël Dupont [18], and by Fox [19] and David Rothstein [20] of the > Drupal Security Team. > * The arbitrary code execution issue was fixed by Nathan Haug [21] and > Justin Klein-Keane [22], and by John Morahan [23] and Greg Knaddison > [24] > of the Drupal Security team. > > -------- COORDINATED BY > ------------------------------------------------------ > > * Jeremy Thorson [25] QA/Testing infrastructure > * Ben Jeavons [26] of the Drupal Security Team > * David Rothstein [27] of the Drupal Security Team > * Gábor Hojtsy [28] of the Drupal Security Team > * Greg Knaddison [29] of the Drupal Security Team > * Fox [30] of the Drupal Security Team > > -------- CONTACT AND MORE INFORMATION > ---------------------------------------- > > The Drupal security team can be reached at security at drupal.org or via > the > contact form at http://drupal.org/contact [31]. > > Learn more about the Drupal Security team and their policies [32], writing > secure code for Drupal [33], and securing your site [34]. > > > [1] http://drupal.org/project/drupal > [2] http://drupal.org/security-team/risk-levels > [3] http://drupal.org/node/1004778 > [4] http://drupal.org/node/65409 > [5] http://drupal.org/node/1543392 > [6] http://cve.mitre.org/ > [7] http://drupal.org/drupal-6.27-release-notes > [8] http://drupal.org/drupal-7.18-release-notes > [9] http://drupal.org/project/drupal > [10] http://drupal.org/user/46549 > [11] http://drupal.org/user/151544 > [12] http://drupal.org/user/22211 > [13] http://drupal.org/user/181407 > [14] http://drupal.org/user/46549 > [15] http://drupal.org/user/383424 > [16] http://drupal.org/user/49851 > [17] http://drupal.org/user/124982 > [18] http://drupal.org/user/400288 > [19] http://drupal.org/user/426416 > [20] http://drupal.org/user/124982 > [21] http://drupal.org/user/35821 > [22] http://drupal.org/user/302225 > [23] http://drupal.org/user/58170 > [24] http://drupal.org/user/36762 > [25] http://drupal.org/user/148199 > [26] http://drupal.org/user/91990 > [27] http://drupal.org/user/124982 > [28] http://drupal.org/user/4166 > [29] http://drupal.org/user/36762 > [30] http://drupal.org/user/426416 > [31] http://drupal.org/contact > [32] http://drupal.org/security-team > [33] http://drupal.org/writing-secure-code > [34] http://drupal.org/security/secure-configuration > > _______________________________________________ > Security-news mailing list > [email protected] > Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
