SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Drupal Vendors:   drupal.org
Drupal XML-RPC Library Bug Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1014674
SecurityTracker URL:  http://securitytracker.com/id/1014674
CVE Reference:   CAN-2005-2498   (Links to External Site)
Date:  Aug 15 2005
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.5 prior to 4.5.5 and 4.6 prior to 4.6.3
Description:   A vulnerability was reported in Drupal in the XML-RPC library. A remote user can execute arbitrary code on the target system.

An unspecified flaw in the 3rd party XML-RPC library included with certain versions of Drupal allows a remote user to execute arbitrary PHP code on the target site.

The vendor was notified on August 12, 2005.

Stefan Esser of the Hardened-PHP Project notified the vendor of this vulnerability.
Impact:   A remote user can execute arbitrary PHP code on the target system with the privileges of the target web service.
Solution:   The vendor has issued fixed versions (4.6.3 and 4.5.5).
Vendor URL:  www.drupal.org/ (Links to External Site)
Cause:   Not specified
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Mon, 15 Aug 2005 04:34:50 +0200
Subject:  [Full-disclosure] [DRUPAL-SA-2005-004] Drupal 4.6.3 / 4.5.5 fixes


--===============1844058015==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="xHFwDpU9dbj6ez1V"
Content-Disposition: inline


--xHFwDpU9dbj6ez1V
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

----------------------------------------------------------------------------
Drupal security advisory                                  DRUPAL-SA-2005-004
----------------------------------------------------------------------------
Advisory ID:    DRUPAL-SA-2005-004
Date:           2005-aug-15
CVE ID:         CAN-2005-2498
Security risk:  highly critical
Impact:         system access
Where:          from remote
Vulnerability:  arbitrary PHP code execution
----------------------------------------------------------------------------

Description
-----------
Stefan Esser of the Hardened-PHP Project reported a serious vulnerablility
in the third-party XML-RPC library included with some Drupal versions. An=
=20
attacker could execute arbitrary PHP code on a target site.

Versions affected
-----------------
Drupal 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4
Drupal 4.6.0, 4.6.1, 4.6.2
Drupal HEAD is not affected, as the XML-RPC library has been replaced by a=
=20
different one.

Solution
--------
- If you cannot upgrade immediately, you can secure your site by removing
  the XML-RPC server: simply remove the file 'xmlrpc.php' in the root of
  your Drupal directory.
- If you are running Drupal 4.5.x, then upgrade to Drupal 4.5.5.
- If you are running Drupal 4.6.x, then upgrade to Drupal 4.6.3.

Timeline
--------
- Fri, 12 Aug 2005 21:15: Stefan Esser reports the vulnerability to Drupal =
and
                          other PHP projects using the XML-RPC library.
                          He plans a coordinated release of all affected
                          projects for next week.
- Sun, 14 Aug 2005 22:40: Stefan Esser reports that the coordinated release
                          is spoiled because information about the security
                          issue was leaked to the public.
- Sun, 14 Aug 2005 23:38: The Drupal Security Team starts coordinated work =
on
                          a new release via the security mailing list and I=
RC.
- Mon, 15 Aug 2005 03:45: Updated Drupal 4.6.3 and Drupal 4.5.5 are release=
d.

Contact
-------
The security contact for Drupal can be reached at security@drupal.org=20
or using the form at http://drupal.org/contact.


// Uwe Hermann, on behalf of the Drupal Security Team.
--=20
Uwe Hermann <uwe@hermann-uwe.de>
http://www.hermann-uwe.de                 | http://www.crazy-hacks.org
http://www.it-services-uh.de              | http://www.phpmeat.org
http://www.unmaintained-free-software.org | http://www.holsham-traders.de

--xHFwDpU9dbj6ez1V
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC//9JXdVoV3jWIbQRAm/9AJ9hDM/6/obZBhzx9zMb7c3CHcrY1QCfX7LZ
9H2FGyuumqSARw1wDWfN9iE=
=p39p
-----END PGP SIGNATURE-----

--xHFwDpU9dbj6ez1V--

--===============1844058015==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============1844058015==--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC