Primary links
- Advisory ID: DRUPAL-SA-2008-044
- Project: Drupal core
- Version: 5.x, 6.x
- Date: 2008-July-9
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities
Drupal 5.x is vulnerable to cross site request forgeries in translated strings and a session fixation attack with certain third-party modules. In addition, it was decided to disallow the <object> tag in text supplied by administrators, such as the site mission statement, or descriptions of taxonomy terms, for security reasons.
The official announcement is here, and the official patch for Drupal 5.7 is here.
Considerations for Drupal 4.7
Drupal 4.7 is vulnerable to the same session fixation attack and should be patched.
Note that the function session_regenerate_id() referenced in this patch was replaced with the function sess_regenerate() later in the 4.7 branch. For example, if you are using Drupal 4.7.7, you would use a patch similar to that for Drupal 5.7. As long as the session ID is regenerated before the call to user_module_invoke('login', ...) your site will not be vulnerable.
Openflows does not maintain any Drupal 4.7 sites which make use of the locale module to translate the interface. We have therefore not backported this portion of the patch. Sites using the locale module should be upgraded to Drupal 5.x.
