SecurityTracker.com Archives - Drupal XML-RPC Library Bug Lets Remote Users Execute Arbitrary Code

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > Drupal

Vendors: drupal.org

Drupal XML-RPC Library Bug Lets Remote Users Execute Arbitrary Code

SecurityTracker Alert ID: 1014674

SecurityTracker URL: http://securitytracker.com/id?1014674

CVE Reference: CAN-2005-2498 (Links to External Site)

Date: Aug 15 2005

Impact: Execution of arbitrary code via network, User access via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 4.5 prior to 4.5.5 and 4.6 prior to 4.6.3

Description: A vulnerability was reported in Drupal in the XML-RPC library. A remote user can execute arbitrary code on the target system.

An unspecified flaw in the 3rd party XML-RPC library included with certain versions of Drupal allows a remote user to execute arbitrary PHP code on the target site.

The vendor was notified on August 12, 2005.

Stefan Esser of the Hardened-PHP Project notified the vendor of this vulnerability.

Impact: A remote user can execute arbitrary PHP code on the target system with the privileges of the target web service.

Solution: The vendor has issued fixed versions (4.6.3 and 4.5.5).

Vendor URL: www.drupal.org/ (Links to External Site)

Cause: Not specified

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Reported By: Uwe Hermann <uwe@hermann-uwe.de>

Message History: None.

Source Message Contents

Date: Mon, 15 Aug 2005 04:34:50 +0200
From: Uwe Hermann <uwe@hermann-uwe.de>
Subject: [Full-disclosure] [DRUPAL-SA-2005-004] Drupal 4.6.3 / 4.5.5 fixes

 

--===============1844058015==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="xHFwDpU9dbj6ez1V"
Content-Disposition: inline


--xHFwDpU9dbj6ez1V
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

----------------------------------------------------------------------------
Drupal security advisory                                  DRUPAL-SA-2005-004
----------------------------------------------------------------------------
Advisory ID:    DRUPAL-SA-2005-004
Date:           2005-aug-15
CVE ID:         CAN-2005-2498
Security risk:  highly critical
Impact:         system access
Where:          from remote
Vulnerability:  arbitrary PHP code execution
----------------------------------------------------------------------------

Description
-----------
Stefan Esser of the Hardened-PHP Project reported a serious vulnerablility
in the third-party XML-RPC library included with some Drupal versions. An=
=20
attacker could execute arbitrary PHP code on a target site.

Versions affected
-----------------
Drupal 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4
Drupal 4.6.0, 4.6.1, 4.6.2
Drupal HEAD is not affected, as the XML-RPC library has been replaced by a=
=20
different one.

Solution
--------
- If you cannot upgrade immediately, you can secure your site by removing
  the XML-RPC server: simply remove the file 'xmlrpc.php' in the root of
  your Drupal directory.
- If you are running Drupal 4.5.x, then upgrade to Drupal 4.5.5.
- If you are running Drupal 4.6.x, then upgrade to Drupal 4.6.3.

Timeline
--------
- Fri, 12 Aug 2005 21:15: Stefan Esser reports the vulnerability to Drupal =
and
                          other PHP projects using the XML-RPC library.
                          He plans a coordinated release of all affected
                          projects for next week.
- Sun, 14 Aug 2005 22:40: Stefan Esser reports that the coordinated release
                          is spoiled because information about the security
                          issue was leaked to the public.
- Sun, 14 Aug 2005 23:38: The Drupal Security Team starts coordinated work =
on
                          a new release via the security mailing list and I=
RC.
- Mon, 15 Aug 2005 03:45: Updated Drupal 4.6.3 and Drupal 4.5.5 are release=
d.

Contact
-------
The security contact for Drupal can be reached at security@drupal.org=20
or using the form at http://drupal.org/contact.


// Uwe Hermann, on behalf of the Drupal Security Team.
--=20
Uwe Hermann <uwe@hermann-uwe.de>
http://www.hermann-uwe.de                 | http://www.crazy-hacks.org
http://www.it-services-uh.de              | http://www.phpmeat.org
http://www.unmaintained-free-software.org | http://www.holsham-traders.de

--xHFwDpU9dbj6ez1V
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC//9JXdVoV3jWIbQRAm/9AJ9hDM/6/obZBhzx9zMb7c3CHcrY1QCfX7LZ
9H2FGyuumqSARw1wDWfN9iE=
=p39p
-----END PGP SIGNATURE-----

--xHFwDpU9dbj6ez1V--

--===============1844058015==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============1844058015==--

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2005, SecurityGlobal.net LLC