drupal6

• Author: Miklos Vajna
• Vulnerable: 6.16-1locris1
• Unaffected: 6.19-1locris1

A weakness and some vulnerabilities have been reported in Drupal, which can be exploited by malicious users to conduct script insertion attacks, and by malicious users and malicious people to bypass certain security restrictions.

1. A vulnerability in the OpenID module is caused due to incorrect protocol implementation. This can be exploited to harvest positive assertions from OpenID providers and e.g. bypass the login mechanism by replaying intercepted assertions.
2. The weakness is caused due to an error in the upload module, which does not properly check uploaded file names for case sensitivity and grants access to the earlier uploaded file. This can be exploited to download otherwise restricted files by uploading similarly named file with different letter casing.
3. An error in the comment module does not properly check for access permissions before republishing previously unpublished comments. Successful exploitation of this vulnerability requires “post comments without approval” permissions.
4. Input passed via descriptions and messages while using the actions feature is not properly sanitised before being displayed to the user via nodes and taxonomy terms. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is being viewed. Successful exploitation of this vulnerability requires “administer actions” permissions.

• Bug Tracker URL: http://bugs.frugalware.org/task/4286

CVEs:

• No CVE, see http://drupal.org/node/880476.