Drupal security team released an advisory describing multiple security issues
affecting Drupal 5.x and 6.x - SA-2008-044:
- cross site scripting issues
- cross site request forgeries
- session fixation issues
- SQL injection
Fixed in upstream versions: 5.8 and 6.3
Upstream patches for 5.7/6.2:
drupal-6.3-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
drupal-5.8-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x
before 6.3 allow remote attackers to inject arbitrary web script or
HTML via vectors related to (1) free tagging taxonomy terms, which are
not properly handled on node preview pages, and (2) unspecified OpenID
The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before
6.3 does not "prevent use of the object HTML tag in administrator
input," which has unknown impact and attack vectors, probably related
to an insufficient cross-site scripting (XSS) protection mechanism.
Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before
5.8 and 6.x before 6.3 allows remote attackers to perform
administrative actions via vectors involving deletion of "translated
Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before
6.3 allows remote attackers to perform administrative actions via
vectors involving deletion of OpenID identities.
Session fixation vulnerability in Drupal 5.x before 5.8 and 6.x before
6.3, when contributed modules "terminate the current request during a
login event," allows remote attackers to hijack web sessions via
SQL injection vulnerability in the Schema API in Drupal 6.x before 6.3
allows remote attackers to execute arbitrary SQL commands via vectors
related to "an inappropriate placeholder for 'numeric' fields."
Fedora Drupal packages were updated to 5.8 / 6.3 via:
The patch for CVE-2008-3222 was not included in drupal 5.8 tarballs, even though
it was included in the SA-2008-044-5.7.patch referenced by SA-2008-044.
Upstream released SA-2008-046 / http://drupal.org/node/286417 to correct this
When contributed modules such as Workflow NG terminate the current request
during a login event, user module is not able to regenerate the user's
session. This may lead to a session fixation attack, when a malicious user
is able to control another users' initial session ID. As the session is not
regenerated, the malicious user may use the 'fixed' session ID after the
victim authenticates and will have the same access.
The advisory SA-2008-044 claims that this session fixation vulnerability was
fixed in Drupal 5.8 and 6.3. Unfortunately, Drupal 5.8 still contains this
drupal-5.9-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Fix for CVE-2008-3222 was included in drupal 5.x as shipped in Fedora 8 in: