Bug 454849 (CVE-2008-3218)

Summary: drupal: multiple security issues in < 6.3,5.8/5.9 (SA-2008-044,SA-2008-046 - CVE-2008-3218, CVE-2008-3219, CVE-2008-3220, CVE-2008-3221, CVE-2008-3222, CVE-2008-3223)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gwync
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-10-01 18:26:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-07-10 07:03:08 UTC 
Drupal security team released an advisory describing multiple security issues
affecting Drupal 5.x and 6.x - SA-2008-044:

  http://drupal.org/node/280571

Advisory includes:
- cross site scripting issues
- cross site request forgeries
- session fixation issues
- SQL injection

Fixed in upstream versions: 5.8 and 6.3

Upstream patches for 5.7/6.2:
http://drupal.org/files/sa-2008-044/SA-2008-044-5.7.patch
http://drupal.org/files/sa-2008-044/SA-2008-044-6.2.patch
Comment 3 Fedora Update System 2008-07-15 12:17:18 UTC 
drupal-6.3-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2008-07-15 12:19:06 UTC 
drupal-5.8-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Tomas Hoger 2008-07-21 08:28:34 UTC 
CVE-2008-3218:
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x
before 6.3 allow remote attackers to inject arbitrary web script or
HTML via vectors related to (1) free tagging taxonomy terms, which are
not properly handled on node preview pages, and (2) unspecified OpenID
values.

CVE-2008-3219:
The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before
6.3 does not "prevent use of the object HTML tag in administrator
input," which has unknown impact and attack vectors, probably related
to an insufficient cross-site scripting (XSS) protection mechanism.

CVE-2008-3220:
Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before
5.8 and 6.x before 6.3 allows remote attackers to perform
administrative actions via vectors involving deletion of "translated
strings."

CVE-2008-3221:
Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before
6.3 allows remote attackers to perform administrative actions via
vectors involving deletion of OpenID identities.

CVE-2008-3222:
Session fixation vulnerability in Drupal 5.x before 5.8 and 6.x before
6.3, when contributed modules "terminate the current request during a
login event," allows remote attackers to hijack web sessions via
unknown vectors.

CVE-2008-3223:
SQL injection vulnerability in the Schema API in Drupal 6.x before 6.3
allows remote attackers to execute arbitrary SQL commands via vectors
related to "an inappropriate placeholder for 'numeric' fields."
Comment 6 Tomas Hoger 2008-07-21 08:40:33 UTC 
Fedora Drupal packages were updated to 5.8 / 6.3 via:

https://admin.fedoraproject.org/updates/F8/FEDORA-2008-6411
https://admin.fedoraproject.org/updates/F9/FEDORA-2008-6415
Comment 7 Tomas Hoger 2008-07-31 13:17:06 UTC 
The patch for CVE-2008-3222 was not included in drupal 5.8 tarballs, even though
it was included in the SA-2008-044-5.7.patch referenced by SA-2008-044.

Upstream released SA-2008-046 / http://drupal.org/node/286417 to correct this
problem:

  When contributed modules such as Workflow NG terminate the current request
  during a login event, user module is not able to regenerate the user's
  session. This may lead to a session fixation attack, when a malicious user
  is able to control another users' initial session ID. As the session is not
  regenerated, the malicious user may use the 'fixed' session ID after the
  victim authenticates and will have the same access.

  The advisory SA-2008-044 claims that this session fixation vulnerability was
  fixed in Drupal 5.8 and 6.3. Unfortunately, Drupal 5.8 still contains this
  vulnerability.
Comment 8 Fedora Update System 2008-08-01 01:47:40 UTC 
drupal-5.9-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Tomas Hoger 2008-10-01 18:26:11 UTC 
Fix for CVE-2008-3222 was included in drupal 5.x as shipped in Fedora 8 in:

https://admin.fedoraproject.org/updates/F8/FEDORA-2008-6916