Drupal Multiple Vulnerabilities

Advisory ID: DRUPAL-SA-CORE-2010-001
Project: Drupal core
Version: 5.x, 6.x
Date: 2010-March-03
Security risk: Critical
Exploitable from: Remote
Vulnerability: Multiple vulnerabilities

Multiple vulnerabilities and weaknesses were discovered in Drupal. Installation cross site scripting A user-supplied value is directly output during installation allowing a malicious user to craft a URL and perform a cross-site scripting attack. The exploit can only be conducted on sites not yet installed. This issue affects Drupal 6.x only. Open redirection The API function drupal_goto() is susceptible to a phishing attack. An attacker could formulate a redirect in a way that gets the Drupal site to send the user to an arbitrarily provided URL. No user submitted data will be sent to that URL. This issue affects Drupal 5.x and 6.x. Locale module cross site scripting Locale module and dependent contributed modules do not sanitize the display of language codes, native and English language names properly. While these usually come from a preselected list, arbitrary administrator input is allowed. This vulnerability is mitigated by the fact that the attacker must have a role with the 'administer languages' permission. This issue affects Drupal 5.x and 6.x. Blocked user session regeneration Under certain circumstances, a user with an open session that is blocked can maintain his/her session on the Drupal site, despite being blocked. This issue affects Drupal 5.x and 6.x.
Versions Affected: * Drupal 6.x before version 6.16. * Drupal 5.x before version 5.22.


Install the latest version: * If you are running Drupal 6.x then upgrade to Drupal 6.16 [1]. * If you are running Drupal 5.x then upgrade to Drupal 5.22 [2]. Drupal 5 will no longer be maintained when Drupal 7 is released [3]. Upgrading to Drupal 6 [4] is recommended. If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. These patches fix the security vulnerabilities, but do not contain other fixes which were released in Drupal 6.16 or Drupal 5.22. * To patch Drupal 6.15 use SA-CORE-2010-001-6.15.patch [5]. * To patch Drupal 5.21 use SA-CORE-2010-001-5.21.patch [6].

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

[1] http://ftp.drupal.org/files/projects/drupal-6.16.tar.gz
[2] http://ftp.drupal.org/files/projects/drupal-5.22.tar.gz
[3] http://drupal.org/node/725382
[4] http://drupal.org/upgrade
[5] http://drupal.org/files/sa-core-2010-001/SA-CORE-2010-001-6.15.patch
[6] http://drupal.org/files/sa-core-2010-001/SA-CORE-2010-001-5.21.patch

Back To Homepage

Dean was on time and his computer diagnosis was spot on.The computer problem was fixed in a matter of minutes.Dean also noticed we had 4 computers in the house and set up our wireless router in the time he had left so we could share files.I can...

Hello, Just a quick note to say thank you to Dean for his excellent customer service he provided during a recent computer problem we had.He was more than happy to answer any questions we had, and took the time to give us a full explanation in our...

Hi there, I would like to thank Dean for the outstanding service I recently received. Dean was very thorough, explained to us in detail what was wrong with our computer,