Page 1 of 1

Frontsite update 20081025

Posted: Thu Oct 23, 2008 1:37 am
by ElonNarai
The frontsite will be updated on 2008-oktober-25
Current Status: NOT IN PROGRESS
BugTracker: #172

Drupal update 6.5 -> 6.6

Code: Select all

------------SA-2008-067 - DRUPAL CORE - MULTIPLE VULNERABILITIES------------

  * Advisory ID: DRUPAL-SA-2008-067

  * Project: Drupal core

  * Versions: 5.x and 6.x

  * Date: 2008-October-22

  * Security risk: Less Critical

  * Exploitable from: Local/Remote

  * Vulnerability: Multiple vulnerabilities


Multiple vulnerabilities and weaknesses were discovered in Drupal.

------------FILE INCLUSION------------

On a server configured for IP-based virtual hosts, Drupal may be caused to include and execute specifically named files outside of its root directory. 

This bug affects both Drupal 5 and Drupal 6.

------------CROSS SITE SCRIPTING------------

The title of book pages is not always properly escaped, enabling users with the "create book content" permission or the permission to edit any node in the book hierarchy to insert arbitrary HTML and script code into pages. Such a Cross site scripting [ ] attack may lead to the attacker gaining administrator access.

This bug affects Drupal 6.

------------VERSIONS AFFECTED------------

  * Drupal 5.x before version 5.12

  * Drupal 6.x before version 6.6


Install the latest version:

  * If you are running Drupal 5.x then upgrade to Drupal 5.12 [ ].

  * If you are running Drupal 6.x then upgrade to Drupal 6.6 [ ].

Note: the settings.php, robots.txt and .htaccess files have not changed and can be left as they are if upgrading from the current version of Drupal.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

  * To patch Drupal 5.11 use SA-2008-067-5.11.patch [ ].

  * To patch Drupal 6.5 use SA-2008-067-6.5.patch [ ].

------------REPORTED BY------------

  * The file inclusion vulnerability was reported by Anthony Ferrara

  * The cross site scripting issue was reported by Maarten van Grootel [ ]


The security team for Drupal can be reached at security at or via the form at [ ].