Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Full Disclosure: [DRUPAL-SA-2005-004] Drupal 4.6.3 / 4.5.5 fixes critical XML-RPC issue

[DRUPAL-SA-2005-004] Drupal 4.6.3 / 4.5.5 fixes critical XML-RPC issue

From: Uwe Hermann <uwe_at_hermann-uwe.de>
Date: Mon, 15 Aug 2005 04:34:50 +0200

----------------------------------------------------------------------------
Drupal security advisory DRUPAL-SA-2005-004
----------------------------------------------------------------------------
Advisory ID: DRUPAL-SA-2005-004
Date: 2005-aug-15
CVE ID: CAN-2005-2498
Security risk: highly critical
Impact: system access
Where: from remote
Vulnerability: arbitrary PHP code execution
----------------------------------------------------------------------------

Description
-----------
Stefan Esser of the Hardened-PHP Project reported a serious vulnerablility
in the third-party XML-RPC library included with some Drupal versions. An
attacker could execute arbitrary PHP code on a target site.

Versions affected
-----------------
Drupal 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4
Drupal 4.6.0, 4.6.1, 4.6.2
Drupal HEAD is not affected, as the XML-RPC library has been replaced by a
different one.

Solution
--------
- If you cannot upgrade immediately, you can secure your site by removing
  the XML-RPC server: simply remove the file 'xmlrpc.php' in the root of
  your Drupal directory.
- If you are running Drupal 4.5.x, then upgrade to Drupal 4.5.5.
- If you are running Drupal 4.6.x, then upgrade to Drupal 4.6.3.

Timeline
--------
- Fri, 12 Aug 2005 21:15: Stefan Esser reports the vulnerability to Drupal and
                          other PHP projects using the XML-RPC library.
                          He plans a coordinated release of all affected
                          projects for next week.
- Sun, 14 Aug 2005 22:40: Stefan Esser reports that the coordinated release
                          is spoiled because information about the security
                          issue was leaked to the public.
- Sun, 14 Aug 2005 23:38: The Drupal Security Team starts coordinated work on
                          a new release via the security mailing list and IRC.
- Mon, 15 Aug 2005 03:45: Updated Drupal 4.6.3 and Drupal 4.5.5 are released.

Contact
-------
The security contact for Drupal can be reached at security_at_drupal.org
or using the form at http://drupal.org/contact.

// Uwe Hermann, on behalf of the Drupal Security Team. 

-- 
Uwe Hermann <uwe_at_hermann-uwe.de>
http://www.hermann-uwe.de                 | http://www.crazy-hacks.org
http://www.it-services-uh.de              | http://www.phpmeat.org
http://www.unmaintained-free-software.org | http://www.holsham-traders.de

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Received on Aug 14 2005
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]