---------------------------------------------------------------------------- Drupal security advisory DRUPAL-SA-2005-004 ---------------------------------------------------------------------------- Advisory ID: DRUPAL-SA-2005-004 Date: 2005-aug-15 CVE ID: CAN-2005-2498 Security risk: highly critical Impact: system access Where: from remote Vulnerability: arbitrary PHP code execution ---------------------------------------------------------------------------- Description ----------- Stefan Esser of the Hardened-PHP Project reported a serious vulnerablility in the third-party XML-RPC library included with some Drupal versions. An attacker could execute arbitrary PHP code on a target site. Versions affected ----------------- Drupal 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4 Drupal 4.6.0, 4.6.1, 4.6.2 Drupal HEAD is not affected, as the XML-RPC library has been replaced by a different one. Solution -------- - If you cannot upgrade immediately, you can secure your site by removing the XML-RPC server: simply remove the file 'xmlrpc.php' in the root of your Drupal directory. - If you are running Drupal 4.5.x, then upgrade to Drupal 4.5.5. - If you are running Drupal 4.6.x, then upgrade to Drupal 4.6.3. Timeline -------- - Fri, 12 Aug 2005 21:15: Stefan Esser reports the vulnerability to Drupal and other PHP projects using the XML-RPC library. He plans a coordinated release of all affected projects for next week. - Sun, 14 Aug 2005 22:40: Stefan Esser reports that the coordinated release is spoiled because information about the security issue was leaked to the public. - Sun, 14 Aug 2005 23:38: The Drupal Security Team starts coordinated work on a new release via the security mailing list and IRC. - Mon, 15 Aug 2005 03:45: Updated Drupal 4.6.3 and Drupal 4.5.5 are released. Contact ------- The security contact for Drupal can be reached at security@xxxxxxxxxx or using the form at http://drupal.org/contact. // Uwe Hermann, on behalf of the Drupal Security Team. -- Uwe Hermann <uwe@xxxxxxxxxxxxxx> http://www.hermann-uwe.de | http://www.crazy-hacks.org http://www.it-services-uh.de | http://www.phpmeat.org http://www.unmaintained-free-software.org | http://www.holsham-traders.de
Attachment:
signature.asc
Description: Digital signature