Bug 454849 - (CVE-2008-3218) drupal: multiple security issues in < 6.3,5.8/5.9 (SA-2008-044,SA-2008-046 - CVE-2008-3218, CVE-2008-3219, CVE-2008-3220, CVE-2008-3221, CVE-2008-3222, CVE-2008-3223)
drupal: multiple security issues in < 6.3,5.8/5.9 (SA-2008-044,SA-2008-046 - ...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Reopened, Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-10 03:03 EDT by Tomas Hoger
Modified: 2008-10-01 14:26 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-10-01 14:26:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-07-10 03:03:08 EDT
Drupal security team released an advisory describing multiple security issues
affecting Drupal 5.x and 6.x - SA-2008-044:

  http://drupal.org/node/280571

Advisory includes:
- cross site scripting issues
- cross site request forgeries
- session fixation issues
- SQL injection

Fixed in upstream versions: 5.8 and 6.3

Upstream patches for 5.7/6.2:
http://drupal.org/files/sa-2008-044/SA-2008-044-5.7.patch
http://drupal.org/files/sa-2008-044/SA-2008-044-6.2.patch
Comment 3 Fedora Update System 2008-07-15 08:17:18 EDT
drupal-6.3-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2008-07-15 08:19:06 EDT
drupal-5.8-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Tomas Hoger 2008-07-21 04:28:34 EDT
CVE-2008-3218:
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x
before 6.3 allow remote attackers to inject arbitrary web script or
HTML via vectors related to (1) free tagging taxonomy terms, which are
not properly handled on node preview pages, and (2) unspecified OpenID
values.

CVE-2008-3219:
The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before
6.3 does not "prevent use of the object HTML tag in administrator
input," which has unknown impact and attack vectors, probably related
to an insufficient cross-site scripting (XSS) protection mechanism.

CVE-2008-3220:
Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before
5.8 and 6.x before 6.3 allows remote attackers to perform
administrative actions via vectors involving deletion of "translated
strings."

CVE-2008-3221:
Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before
6.3 allows remote attackers to perform administrative actions via
vectors involving deletion of OpenID identities.

CVE-2008-3222:
Session fixation vulnerability in Drupal 5.x before 5.8 and 6.x before
6.3, when contributed modules "terminate the current request during a
login event," allows remote attackers to hijack web sessions via
unknown vectors.

CVE-2008-3223:
SQL injection vulnerability in the Schema API in Drupal 6.x before 6.3
allows remote attackers to execute arbitrary SQL commands via vectors
related to "an inappropriate placeholder for 'numeric' fields."
Comment 6 Tomas Hoger 2008-07-21 04:40:33 EDT
Fedora Drupal packages were updated to 5.8 / 6.3 via:

https://admin.fedoraproject.org/updates/F8/FEDORA-2008-6411
https://admin.fedoraproject.org/updates/F9/FEDORA-2008-6415
Comment 7 Tomas Hoger 2008-07-31 09:17:06 EDT
The patch for CVE-2008-3222 was not included in drupal 5.8 tarballs, even though
it was included in the SA-2008-044-5.7.patch referenced by SA-2008-044.

Upstream released SA-2008-046 / http://drupal.org/node/286417 to correct this
problem:

  When contributed modules such as Workflow NG terminate the current request
  during a login event, user module is not able to regenerate the user's
  session. This may lead to a session fixation attack, when a malicious user
  is able to control another users' initial session ID. As the session is not
  regenerated, the malicious user may use the 'fixed' session ID after the
  victim authenticates and will have the same access.

  The advisory SA-2008-044 claims that this session fixation vulnerability was
  fixed in Drupal 5.8 and 6.3. Unfortunately, Drupal 5.8 still contains this
  vulnerability.
Comment 8 Fedora Update System 2008-07-31 21:47:40 EDT
drupal-5.9-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Tomas Hoger 2008-10-01 14:26:11 EDT
Fix for CVE-2008-3222 was included in drupal 5.x as shipped in Fedora 8 in:

https://admin.fedoraproject.org/updates/F8/FEDORA-2008-6916

Note You need to log in before you can comment on or make changes to this bug.