How do we keep this site running? This post may contain affiliate links — the cost is the same to you, but we get a referral fee. Compensation does not affect rankings. Thanks!
A unset() hash / index collision exploit using Drupal has been uncovered by Drupal’s security team. PHP versions affected:
- PHP 5 before version 5.1.4
- PHP 4 before version 4.4.3
Solution: Upgrade your PHP installation to 4.4.7 or 5.2.4.
Drupal uses the unset statement to eliminate all non-whitelisted global variables when the option “register_globals” is enabled for your PHP installation. As unset() can be caused to fail on vulnerable versions of PHP, arbitrary global variables can be created. This can easily lead to the execution of arbitrary PHP code with a specially crafted URL, similar to the one shown below, that causes the menu system to call the PHP evaluator with arbitrary code:
An exploit for this is widely circulating. The attack will not work when “register_globals” is set to off.
The issue is not limited to installations with “register_globals” set to on.
unset() is used in other parts of the code base where a bypass /may/ result in unintended actions that /may/ compromise your security.
Upgrade Your Core Drupal Installation
Multiple security vulnerabilities have been uncovered in Drupal’s core 5.2 installation.
HTTP response splitting
In some circumstances Drupal allows user-supplied data to become part of response headers. As this user-supplied data is not always properly escaped, this can be exploited by malicious users to execute HTTP response splitting attacks which may lead to a variety of issues, among them cache poisoning, cross-user defacement and injection of arbitrary code.
Arbitrary code execution
The Drupal installer allows any visitor to provide credentials for a database when the site’s own database is not reachable. This allows attackers to run arbitrary code on the site’s server.
An immediate workaround is the removal of the file install.php in the Drupal root directory.
Cross site scripting
The allowed extension list of the core Upload module contains the extension HTML by default. Such files can be used to execute arbitrary script code in the context of the affected site when a user views the file.
Wikipedia has more information about cross site scripting
Cross site request forgery
The Drupal Forms API protects against cross site request forgeries (CSRF), where a malicious site can cause a user to unintentionally submit a form to a site where he is authenticated. The user deletion form does not follow the standard Forms API submission model and is therefore not protected against this type of attack. A CSRF attack may result in the deletion of users.
The publication status of comments is not passed during the hook_comments API operation, causing various modules that rely on the publication status (such as Organic groups, or Subscriptions) to mail out unpublished comments.