Red Hat Bugzilla – Bug 466741
drupal: multiple drupal issues in < 6.5,5.11 (SA-2008-060 - CVE-2008-4789, CVE-2008-4790, CVE-2008-4791, CVE-2008-4792, CVE-2008-4793)
Last modified: 2008-10-30 04:31:26 EDT
Drupal upstream released new upstream versions 6.5 and 5.11 fixing multiple
security issues described in upstream advisory SA-2008-060:
- File upload access bypass (unprivileged file attach, 6.x)
- File upload access bypass (file disclosure, 5.x)
- Access rules bypass
- BlogAPI access bypass
- Node validation bypass (5.x)
Upstream patches against previous versions:
drupal-6.5-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
drupal-5.11-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 468423 has been marked as a duplicate of this bug. ***
CVEs assigned to these issue:
The validation functionality in the core upload module in Drupal 6.x
before 6.5 allows remote authenticated users to bypass intended access
restrictions and "attach files to content," related to a "logic
The core upload module in Drupal 5.x before 5.11 allows remote
authenticated users to bypass intended access restrictions and read
"files attached to content" via unknown vectors.
The user module in Drupal 5.x before 5.11 and 6.x before 6.5 might
allow remote authenticated users to bypass intended login access rules
and successfully login via unknown vectors.
The core BlogAPI module in Drupal 5.x before 5.11 and 6.x before 6.5
does not properly validate unspecified content fields of an internal
Drupal form, which allows remote authenticated users to bypass
intended access restrictions via modified field values.
The node module API in Drupal 5.x before 5.11 allows remote attackers
to bypass node validation and have unspecified other impact via
unknown vectors related to contributed modules.
New upstream drupal versions 5.11 / 6.5 were pushed to F8 and F9 stable via: