Important Drupal and PHP Security Upgrades

Upgrade your PHP Installation

A unset() hash / index collision exploit using Drupal has been uncovered by Drupal's security team.  PHP versions affected:

• PHP 5 before version 5.1.4
• PHP 4 before version 4.4.3

Solution: Upgrade your PHP installation to 4.4.7 or 5.2.4.

Description:

The PHP unset() Hash / Index collision vulnerability causes the unset() statement to fail in certain circumstances.

Drupal uses the unset statement to eliminate all non-whitelisted global variables when the option "register_globals" is enabled for your PHP installation. As unset() can be caused to fail on vulnerable versions of PHP, arbitrary global variables can be created. This can easily lead to the execution of arbitrary PHP code with a specially crafted URL, similar to the one shown below, that causes the menu system to call the PHP evaluator with arbitrary code:

http://example.com?_menu[callbacks][1][callback]

=drupal_eval&_menu[items][][type]=-1&-813992032=1&q=1/%3C?phpinfo();

An exploit for this is widely circulating. The attack will not work when "register_globals" is set to off.

The issue is not limited to installations with "register_globals" set to on.
unset() is used in other parts of the codebase where a bypass /may/ result in unintended actions that /may/ compromise your security.

Upgrade Your Core Drupal Installation

Multiple security vulnerabilities have been uncovered in Drupal's core 5.2 installation.

Solution: Upgrade to Drupal 5.3 or Drupal 4.7.8.  You also want to make sure that under settings -> file uploads; "html" is not listed as an allowed extension.

Note: If for some reason you can't upgrade yet, please apply the following patches to your existing installation: Drupal 5.2 or Drupal 4.7.7.

Vulnerabilities

HTTP response splitting: In some circumstances Drupal allows user-supplied data to become part of response headers. As this user-supplied data is not always properly escaped, this can be exploited by malicious users to execute HTTP response splitting attacks which may lead to a variety of issues, among them cache poisoning, cross-user defacement and injection of arbitrary code.

Arbitrary code execution: The Drupal installer allows any visitor to provide credentials for a database when the site's own database is not reachable. This allows attackers to run arbitrary code on the site's server.

An immediate workaround is the removal of the file install.php in the Drupal root directory.

Cross site scripting: The allowed extension list of the core Upload module contains the extension HTML by default. Such files can be used to execute arbitrary script code in the context of the affected site when a user views the file.

Revoking upload permissions or removing the .html extension from the allowed extension list will stop uploads of malicious files. but will do nothing to protect your site against files that are already present. Carefully inspect the file system path for any HTML files. We recommend you remove any HTML file you did not update yourself.  You should look for , CSS includes, Javascript includes, and onerror="" attributes if you need to review files individually.

Wikipedia has more information about cross site scripting

Cross site request forgery: The Drupal Forms API protects against cross site request forgeries (CSRF), where a malicous site can cause a user to unintentionally submit a form to a site where he is authenticated. The user deletion form does not follow the standard Forms API submission model and is therefore not protected against this type of attack. A CSRF attack may result in the deletion of users.

Access bypass:  The publication status of comments is not passed during the hook_comments API operation, causing various modules that rely on the publication status (such as Organic groups, or Subscriptions) to mail out unpublished comments.