Important Drupal and PHP Security Upgrades

How do we keep this site running? This post may contain affiliate links — the cost is the same to you, but we get a referral fee. Compensation does not affect rankings. Thanks!

A unset() hash / index collision exploit using Drupal has been uncovered by Drupal’s security team. PHP versions affected:

  • PHP 5 before version 5.1.4
  • PHP 4 before version 4.4.3

Solution: Upgrade your PHP installation to 4.4.7 or 5.2.4.

Description

The PHP unset() Hash / Index collision vulnerability causes the unset() statement to fail in certain circumstances.

Drupal uses the unset statement to eliminate all non-whitelisted global variables when the option “register_globals” is enabled for your PHP installation. As unset() can be caused to fail on vulnerable versions of PHP, arbitrary global variables can be created. This can easily lead to the execution of arbitrary PHP code with a specially crafted URL, similar to the one shown below, that causes the menu system to call the PHP evaluator with arbitrary code:

//example.com?_menu[callbacks][1][callback]

=drupal_eval&_menu[items][][type]=-1&-813992032=1&q=1/%3C?phpinfo();

An exploit for this is widely circulating. The attack will not work when “register_globals” is set to off.

The issue is not limited to installations with “register_globals” set to on.
unset() is used in other parts of the code base where a bypass /may/ result in unintended actions that /may/ compromise your security.

Upgrade Your Core Drupal Installation

Multiple security vulnerabilities have been uncovered in Drupal’s core 5.2 installation.

Solution: Upgrade to Drupal 5.3 or Drupal 4.7.8 (THESE ARE DOWNLOAD FILES). You also want to make sure that under settings -> file uploads; “html” is not listed as an allowed extension.

Note: If for some reason you can’t upgrade yet, please apply the following patches to your existing installation: Drupal 5.2 or Drupal 4.7.7. (CLICK TO DOWNLOAD FILES)

Vulnerabilities

HTTP response splitting

In some circumstances Drupal allows user-supplied data to become part of response headers. As this user-supplied data is not always properly escaped, this can be exploited by malicious users to execute HTTP response splitting attacks which may lead to a variety of issues, among them cache poisoning, cross-user defacement and injection of arbitrary code.

Arbitrary code execution

The Drupal installer allows any visitor to provide credentials for a database when the site’s own database is not reachable. This allows attackers to run arbitrary code on the site’s server.

An immediate workaround is the removal of the file install.php in the Drupal root directory.

Cross site scripting

The allowed extension list of the core Upload module contains the extension HTML by default. Such files can be used to execute arbitrary script code in the context of the affected site when a user views the file.

Revoking upload permissions or removing the .html extension from the allowed extension list will stop uploads of malicious files. but will do nothing to protect your site against files that are already present. Carefully inspect the file system path for any HTML files. We recommend you remove any HTML file you did not update yourself. You should look for , CSS includes, Javascript includes, and onerror=”” attributes if you need to review files individually.

Wikipedia has more information about cross site scripting

Cross site request forgery

The Drupal Forms API protects against cross site request forgeries (CSRF), where a malicious site can cause a user to unintentionally submit a form to a site where he is authenticated. The user deletion form does not follow the standard Forms API submission model and is therefore not protected against this type of attack. A CSRF attack may result in the deletion of users.

Access bypass

The publication status of comments is not passed during the hook_comments API operation, causing various modules that rely on the publication status (such as Organic groups, or Subscriptions) to mail out unpublished comments.

Alex bring a series of in-depth articles on search marketing and content management systems as well as troubleshooting tips to We Rock Your Web's collection. He is an avid tennis player, nature enthusiast, and hiker, and enjoys spending time with his wife, friends, and dogs, Bella and Lily.

Leave a Reply

1 Comment on "Important Drupal and PHP Security Upgrades"

avatar
Anonymous
Anonymous

I’m still using PHP3. It has some flows though and for a third version I was expecting more. I tried using it with offshore corporation and it failed miserably to get me where I wanted. I consider myself a good programmer (see how I didn’t used the word very in front of good?) but still it seems like the code is hard to follow.

wpDiscuz

Send this to a friend