SA-2008-060

Primary links

Advisory ID: DRUPAL-SA-2008-060
Project: Drupal core
Version: 5.x, 6.x
Date: 2008-October-08
Security risk: Critical
Exploitable from: Remote
Vulnerability: Multiple vulnerabilities

Multiple vulnerabilities and weaknesses were discovered in Drupal, including a file upload access bypass, access rules bypass, BlogAPI access bypass, and node validation bypass.

The official announcement for Drupal 5.x is here.

Considerations for Drupal 4.7

Drupal 4.7 is vulnerable to the same attacks and should be patched.

SA-2008-060-4.7.patch

At Openflows we're no longer putting much effort into these security backports. Instead, we're concentrating on migrating sites to supported versions of Drupal. The patches for user.module and upload.module are needed for all 4.7.x sites, and correct the file upload access bypass and a problem with resetting user passwords.

We have now successfully migrated all 4.7 sites which use the BlogAPI to supported versions of Drupal. Our remaining 4.7 sites do not use any Drupal access rules, and do not use any third-party modules which are vulnerable to the node validation bypass. Thus, we have not backported those portions of this security patch. If your 4.7 sites do use these Drupal features, your sites will remain vulnerable even after applying this patch.

Featured Project

The Pulitzer Prizes

The Pulitzer Prizes, awarded annually since 1917, are regarded among the highest honors in U.S. print journalism, literary achievement and musical composition. Openflows recently re-implemented their 15-year-old website.

Full description

Our Clients Are the Bottom Line

One of the key things that makes OCTL different from many other free software/open source consulting groups is that we have no investors. We built the company based on labor and the needs of our clients.

At the end of the day, our decisions are based not on what is in the best interests of shareholders, but on the commitments and relationships we have with the companies and organizations we work with.