Primary links
- Advisory ID: DRUPAL-SA-2008-047
- Project: Drupal core
- Version: 5.x, 6.x
- Date: 2008-August-13
- Security risk: Highly critical
- Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities
Multiple vulnerabilities and weaknesses were discovered in Drupal, including cross site scripting, arbitrary file uploads via BlogAPI, cross site request forgeries, and various Upload module vulnerabilities.
The official announcement for Drupal 5.x is here.
Considerations for Drupal 4.7
Drupal 4.7 is vulnerable to the same attacks and should be patched.
SA-2008-047-blogapi.4.7.2.patch
SA-2008-047-blogapi.4.7.2.sql
SA-2008-047-file_inc.4.7.2.patch
SA-2008-047-file_inc.4.7.7.patch
SA-2008-047-filter.4.7.2.patch
SA-2008-047-user.4.7.2.patch
SA-2008-047-user.4.7.7.patch
At Openflows we're no longer putting much effort into these security backports. Instead, we're concentrating on migrating sites to supported versions of Drupal.
The patches for file.inc and filter.module are needed for all 4.7.x sites and should work fine everywhere.
The patch for user.module only affects user access rules (different from permissions) and the patch for blogapi.module only affects file uploads via the blog api interface. In both cases the patches we 'ported' remove the vulnerability, but may break the 4.7.x forms API. Since this is acceptable for the few 4.7 sites we have left, we did no further testing, so if you need that to work, you'll have to check it yourselves. Also, the blogapi fix requires a new SQL table, and since there are no module install files to be called by upgrade.php in 4.7 you'll have to make it by hand. The schema is included here as well.
That said, we hope this incomplete patch set is still useful to you.
