CVE-2007-5416 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5416): Drupal 5.2 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary PHP code by invoking the drupal_eval function through a callback parameter to the default URI, as demonstrated by the _menu[callbacks][1][callback] parameter. NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in Drupal.
Roy and web-apps, please advise. I am not familiar with Drupal. Is this an issue, can you reproduce it?
From the mail: ShAnKaR reports PHP Zend Hash vulnerability exploitation vector with Drupal <= 5.2. Example: http://www.example.com/drupal/?_menu[callbacks][1][callback]=drupal_eval &_menu[items][][type]=-1&-312030023=1&q=1/<?phpinfo(); Original message (in Russian): http://securityvulns.ru/Sdocument137.html
Using your example I get page not found. I'm using lighttpd + php-5 CGI and pecl-apc - no zend products outside of php itself were used. Also, as indicated, this is probably a PHP issue and not a Drupal one. There are no updates to Drupal at this time.
*** Bug 196233 has been marked as a duplicate of this bug. ***
Well, don't know about CVE-2007-5416 one, but: <snip> Drupal 4.7.8 and 5.3 are now available for download. These are maintenance releases that fix problems reported using the bug tracking system, as well as some security vulnerabilities. Upgrading your existing Drupal sites is strongly recommended. </snip> SA-2007-024 - Drupal Core - HTTP response splitting - http://drupal.org/node/184315 SA-2007-025 - Drupal core - Arbitrary code execution via installer. - http://drupal.org/node/184316 SA-2007-026 - Drupal Core - Cross site scripting via uploads - http://drupal.org/node/184320 SA-2007-029 - Drupal core - User deletion cross site request forgery - http://drupal.org/node/184348 SA-2007-030 - Drupal Core - API handling of unpublished comment. - http://drupal.org/node/184354 The above ones are rated from Not critical to Highly critical, sounds like a good idea to bump this.
Nasty. Well, 5.3 is in the tree. Go wild.
Not much to do since Drupal is not (In reply to comment #3) > Using your example I get page not found. > I'm using lighttpd + php-5 CGI and pecl-apc - no zend products outside of php > itself were used. > > Also, as indicated, this is probably a PHP issue and not a Drupal one. There > are no updates to Drupal at this time. According to this Drupal advisory this only happens with register_globals on and not with PHP 5.24: http://drupal.org/node/184313
(In reply to comment #6) > Nasty. Well, 5.3 is in the tree. Go wild. Since Drupal is ~arch only, we're done here. Thanks, everyone.
And we don't normally deal with PHP issues requiring register_globals.
(In reply to comment #9) > And we don't normally deal with PHP issues requiring register_globals. Didn't have that detail when I opened this bug.
CVEs got assigned. CVE-2007-5595 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5595): CRLF injection vulnerability in the drupal_goto function in includes/common.inc Drupal 4.7.x before 4.7.8 and 5.x before 5.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. CVE-2007-5594 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5594): Drupal 5.x before 5.3 does not apply its Drupal Forms API protection against the user deletion form, which allows remote attackers to delete users via a cross-site request forgery (CSRF) attack. CVE-2007-5597 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5597): The hook_comments API in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 does not pass publication status, which might allow attackers to bypass access restrictions and trigger e-mail with unpublished comments from some modules, as demonstrated by (1) Organic groups and (2) Subscriptions. CVE-2007-5596 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5596): The core Upload module in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 places the .html extension on a whitelist, which allows remote attackers to conduct cross-site scripting (XSS) attacks by uploading .html files. CVE-2007-5593 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5593): install.php in Drupal 5.x before 5.3, when the configured database server is not reachable, allows remote attackers to execute arbitrary code via vectors that cause settings.php to be modified.
