[Fedora] Mehrere Schwachstellen in Drupal vor Verison 7.1 bzw. 6.21 – FEDORA-2011-7575

[Fedora] Mehrere Schwachstellen in Drupal vor Verison 7.1 bzw. 6.21 - FEDORA-2011-7575

Von

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgendes Fedora Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.

Drupal SA-CORE-2011-001 – Mehrere Schwachstellen in Drupal

Reflektive Cross-Site Scripting Schwachstelle in Drupal 6
In Drupal 6 vor Version 6.21 werden Fehlermeldungen in unsicherer Weise
ausgegeben. Drupal stellt PHP Fehlermeldungen im Nachrichtenbereich dar und
durch eine entsprechend aufbereitete URL kann Skriptcode in die Nachricht
eingeschleust werden. Ein entfernter Angreifer kann diese Schwachstelle
ausnutzen um beliebige Skriptbefehle mit den Rechten des Anwenders
auszufuehren.

Cross-Site Scripting Schwachstelle im Drupal Color Modul
In Drupal 6 und 7 vor Version 6.21 bzw. 7.1 werden Benutzereingaben in
Themes mit veraenderbaren Farben nicht hinreichend gefiltert und es
koennen beliebige Cascading Style Sheets (CSS) oder Skriptcode
eingeschleust werden. Ein entfernter Angreifer der ueber die “Administer
themes” Berechtigung verfuegt, kann diese Schwachstelle ausnutzen, um
beliebige CSS oder Skriptcode mit den Rechten des Benutzers zur
Ausfuehrung zu bringen.

Umgehen von Zugriffsbeschraenkungen in Drupal 7
Drupal 7 vor Version 7.1 setzt Zugriffsbeschraenkungen nicht richtig um.
Werden private Dateien (‘private files’) in Verbindung mit dem Node
Access Modul eingesetzt, ist ein unbeschraenkter Zugriff aus diese
moeglich. Ein entfernter Angreifer kann diese Schwachstelle ausnutzen,
um sich unberechtigen Zugriff auf vertrauliche Dateien zu verschaffen.

Betroffen sind die folgenden Software Pakete und Plattformen:

Paket drupal6
Paket drupal7

Fedora 15

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
Detlev O. Matthies

– —

Detlev O. Matthies, M.Sc. (Incident Response Team)

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-590
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

Automatische Warnmeldungen https://www.cert.dfn.de/autowarn

– ——————————————————————————–
Fedora Update Notification
FEDORA-2011-7575
2011-05-26 21:14:39
– ——————————————————————————–

Name : drupal7
Product : Fedora 15
Version : 7.2
Release : 1.fc15
URL : http://www.drupal.org
Summary : An open-source content-management platform
Description :
Equipped with a powerful blend of features, Drupal is a Content Management
System written in PHP that can support a variety of websites ranging from
personal weblogs to large community-driven websites. Drupal is highly
configurable, skinnable, and secure.

– ——————————————————————————–
Update Information:

* Advisory ID: DRUPAL-SA-CORE-2011-001
* Project: Drupal core [1]
* Version: 6.x, 7.x
* Date: 2011-May-25
* Security risk: Critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass, Cross Site Scripting

– ——– DESCRIPTION
– ———————————————————

Multiple vulnerabilities and weaknesses were discovered in Drupal.

…. Reflected cross site scripting vulnerability in error handler

A reflected cross site scripting vulnerability was discovered in Drupal’s
error handler. Drupal displays PHP errors in the messages area, and a
specially crafted URL can cause malicious scripts to be injected into the
message. The issue can be mitigated by disabling on-screen error display at
admin/settings/error-reporting. This is the recommended setting for
production sites.

This issue affects Drupal 6.x only.

…. Cross site scripting vulnerability in Color module

When using re-colorable themes, color inputs are not sanitized. Malicious
color values can be used to insert arbitrary CSS and script code. Successful
exploitation requires the “Administer themes” permission.

This issue affects Drupal 6.x and 7.x.

…. Access bypass in File module

When using private files in combination with a node access module, the File
module allows unrestricted access to private files.

This issue affects Drupal 7.x only.

– ——– VERSIONS AFFECTED
– —————————————————

* Drupal 7.x before version 7.1.
* Drupal 6.x before version 6.21.

– ——– SOLUTION
– ————————————————————

Install the latest version:

* If you are running Drupal 7.x then upgrade to Drupal 7.1 [3] or 7.2 [4].
* If you are running Drupal 6.x then upgrade to Drupal 6.21 [5] or 6.22. [6]

The Security Team has released both a pure security update without other bug
fixes and a security update combined with other bug fixes and improvements.
You can choose to either only include the security update for an immediate
fix (which might require less quality assurance and testing) or more fixes
and improvements alongside the security fixes by choosing between Drupal 7.1
[7] and Drupal 7.2 [8] or Drupal 6.21 [9] and Drupal 6.22 [10].

See the release announcement [11] for more information.

See also the Drupal core [12] project page.

– ——– REPORTED BY
– ———————————————————

* The reflected cross site scripting vulnerability was reported by Heine
Deelstra [13] (*).
* The Color module cross site scripting vulnerability was reported by Kasper
Lindgaard, Secunia Research.
* The File access bypass was reported by Hubert Lecorche, and Peter Bex
[14].

– ——– FIXED BY
– ————————————————————

* The reflected cross site scripting vulnerability was fixed by Alan
Smithee.
* The Color module cross site scripting vulnerability was fixed by St�phane
Corlosquet [15] (*), Heine Deelstra [16] (*), and Peter Wolanin [17] (*).
* The File access bypass was fixed by Heine Deelstra [18] (*).

(*) Member of the Drupal security team.

– ——– CONTACT AND MORE INFORMATION
– —————————————-

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [19].

Learn more about the Drupal Security team and their policies [20], writing
secure code for Drupal [21], and securing your site [22].

[1] http://drupal.org/project/drupal
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/node/1168910
[4] http://drupal.org/node/1168946
[5] http://drupal.org/node/1168908
[6] http://drupal.org/node/1168950
[7] http://drupal.org/node/1168910
[8] http://drupal.org/node/1168946
[9] http://drupal.org/node/1168908
[10] http://drupal.org/node/1168950
[11] http://drupal.org/drupal-7.2
[12] http://drupal.org/project/drupal
[13] http://drupal.org/user/17943
[14] https://drupal.org/user/309898
[15] http://drupal.org/user/52142
[16] http://drupal.org/user/17943
[17] http://drupal.org/user/49851
[18] http://drupal.org/user/17943
[19] http://drupal.org/contact
[20] http://drupal.org/security-team
[21] http://drupal.org/writing-secure-code
[22] http://drupal.org/security/secure-configuration

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.16 (GNU/Linux)

iQEcBAEBAgAGBQJN6MOLAAoJEJtyb8U7iGZBgsYH/1n0XAtGGidIFmZ/Xo82WMfj
a34vtviECUaCVQ89Z6uX+eLk6wrrbA2COqSAg5rxwR6rgtzn56DqRI1Zy7UaZ77D
AnkpLM+n7MBFAOaX1z30yhur1ILWsLR9OmB34DtWLbHPJqyUYcWXCA3akwPbRGdQ
WAD2xQdoXb8oVRnVLJn4Gl+PErzZGodLenwzo9ku8c0iLONFZzEnX+F3hWuzztuT
7vAChYXVpMIt9Y65ObflLu0HHDjMA/zK6nmOtjxfhncVRZ4q5eeARrm5bZtdFJg+
g/jDdtPLqZrpmIO77rtT8+G1mO4j1X+gxnp9S6UEGeuOfQ/MYgQLC7vg1re7FPM=
=YmJ9
—–END PGP SIGNATURE—–

© COMPUTEC MEDIA GmbH
Nach oben