Bug 454849 (CVE-2008-3218)
Summary: | drupal: multiple security issues in < 6.3,5.8/5.9 (SA-2008-044,SA-2008-046 - CVE-2008-3218, CVE-2008-3219, CVE-2008-3220, CVE-2008-3221, CVE-2008-3222, CVE-2008-3223) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | gwync |
Target Milestone: | --- | Keywords: | Reopened, Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-10-01 18:26:11 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tomas Hoger
2008-07-10 07:03:08 UTC
drupal-6.3-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. drupal-5.8-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. CVE-2008-3218: Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) free tagging taxonomy terms, which are not properly handled on node preview pages, and (2) unspecified OpenID values. CVE-2008-3219: The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism. CVE-2008-3220: Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of "translated strings." CVE-2008-3221: Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of OpenID identities. CVE-2008-3222: Session fixation vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors. CVE-2008-3223: SQL injection vulnerability in the Schema API in Drupal 6.x before 6.3 allows remote attackers to execute arbitrary SQL commands via vectors related to "an inappropriate placeholder for 'numeric' fields." Fedora Drupal packages were updated to 5.8 / 6.3 via: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-6411 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-6415 The patch for CVE-2008-3222 was not included in drupal 5.8 tarballs, even though it was included in the SA-2008-044-5.7.patch referenced by SA-2008-044. Upstream released SA-2008-046 / http://drupal.org/node/286417 to correct this problem: When contributed modules such as Workflow NG terminate the current request during a login event, user module is not able to regenerate the user's session. This may lead to a session fixation attack, when a malicious user is able to control another users' initial session ID. As the session is not regenerated, the malicious user may use the 'fixed' session ID after the victim authenticates and will have the same access. The advisory SA-2008-044 claims that this session fixation vulnerability was fixed in Drupal 5.8 and 6.3. Unfortunately, Drupal 5.8 still contains this vulnerability. drupal-5.9-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. Fix for CVE-2008-3222 was included in drupal 5.x as shipped in Fedora 8 in: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-6916 |