Debian Bug report logs - #368835
drupal: Execution of arbitrary files in certain Apache configurations

version graph

Package: drupal; Maintainer for drupal is (unknown);

Reported by: Kevin Dalley <kevin@kelphead.org>

Date: Thu, 25 May 2006 09:18:06 UTC

Severity: grave

Tags: security

Found in version drupal/4.5.8-1

Fixed in versions drupal/4.5.8-1.1, drupal/4.5.8-2

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Hilko Bengen <bengen@debian.org>:
Bug#368835; Package drupal. Full text and rfc822 format available.

Acknowledgement sent to Kevin Dalley <kevin@kelphead.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Hilko Bengen <bengen@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Kevin Dalley <kevin@kelphead.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: drupal: Execution of arbitrary files in certain Apache configurations
Date: Thu, 25 May 2006 02:14:21 -0700
Package: drupal
Version: 4.5.8-1
Severity: grave
Tags: security
Justification: user security hole

http://drupal.org/node/65409

------------EXECUTION OF ARBITRARY FILES IN CERTAIN APACHE
CONFIGURATIONS------------

 * Advisory ID: DRUPAL-SA-2006-006

 * Project: Drupal core

 * Date: 2006-May-24

 * Security risk: highly critical

 * Impact: Drupal core

 * Exploitable from: remote

 * Vulnerability: Execution of arbitrary files

------------DESCRIPTION------------

Certain -- alas, typical -- configurations of Apache allows execution of
carefully named arbitrary scripts in the files directory.  Drupal now will
attempt to automatically create a .htaccess file in your "files" directory
to protect you.

------------VERSIONS AFFECTED------------

- All Drupal versions before 4.6.7 and also Drupal 4.7.0.

------------SOLUTION------------

If you are running Drupal 4.6.x then upgrade to Drupal 4.6.7.
If you are running Drupal 4.7.0 then upgrade to Drupal 4.7.1.

Make sure you have a .htaccess in your "files" dir and it contains this line:

SetHandler This_is_a_Drupal_security_line_do_not_remove

------------REPORTED BY------------

milw0rm

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or
using the form at [http://drupal.org/contact].



-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-2-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages drupal depends on:
ii  apache-ssl [httpd]            1.3.34-2   versatile, high-performance HTTP s
ii  apache2-mpm-prefork [httpd]   2.0.55-4   traditional model for Apache2
ii  debconf [debconf-2.0]         1.5.0      Debian configuration management sy
ii  libapache2-mod-php4           4:4.4.2-1  server-side, HTML-embedded scripti
ii  makepasswd                    1.10-3     Generate and encrypt passwords
ii  mysql-client-5.0 [mysql-clien 5.0.18-7   mysql database client binaries
ii  php4-cgi                      4:4.4.2-1  server-side, HTML-embedded scripti
ii  php4-cli                      4:4.4.2-1  command-line interpreter for the p
ii  php4-mysql                    4:4.4.2-1  MySQL module for php4
ii  php4-pgsql                    4:4.4.2-1  PostgreSQL module for php4
ii  postfix [mail-transport-agent 2.1.5-9    A high-performance mail transport 
ii  postgresql-client             7.5.19     front-end programs for PostgreSQL 
ii  wwwconfig-common              0.0.45     Debian web auto configuration

Versions of packages drupal recommends:
ii  mysql-server-5.0 [mysql-serve 5.0.18-7   mysql database server binaries
ii  postgresql                    7.5.19     object-relational SQL database man

-- debconf information:
  drupal/remove_backups: false
  drupal/createuser_failed:
  drupal/db_auto_update: true
  drupal/dropdb_failed:
  drupal/upgradedb_impossible:
  drupal/dbgeneration: false
  drupal/dbtype: MySQL
  drupal/database_doremove: false
  drupal/createdb_failed:
  drupal/dbserver: localhost
  drupal/webserver: apache
  drupal/upgradedb_failed:
  drupal/dbname: drupal
  drupal/dbuser: drupal
  drupal/dbadmin: root
  drupal/initdb_failed:
  drupal/conffile_failed:



Information forwarded to debian-bugs-dist@lists.debian.org, Hilko Bengen <bengen@debian.org>:
Bug#368835; Package drupal. Full text and rfc822 format available.

Acknowledgement sent to Kevin Dalley <kevin@kelphead.org>:
Extra info received and forwarded to list. Copy sent to Hilko Bengen <bengen@debian.org>. Full text and rfc822 format available.

Message #10 received at 368835@bugs.debian.org (full text, mbox):

From: Kevin Dalley <kevin@kelphead.org>
To: 368835@bugs.debian.org
Subject: drupal: Execution of arbitrary files in certain Apache configurations
Date: Thu, 01 Jun 2006 16:33:37 -0700
Here is updated information on the bug.  The problem takes more work
to fix than first reported.

------------REVISION TO DRUPAL-SA-2006-006------------

 * Advisory ID: DRUPAL-SA-2006-007

 * Project: Drupal core and potentially any web application that accepts
uploads.

 * Date: 2006-Jun-01

 * Security risk: highly critical

 * Impact: Drupal core

 * Exploitable from: remote

 * Vulnerability: Execution of arbitrary files

------------DESCRIPTION------------

Recently, the Drupal security team was informed of a potential exploit that
would allow untrusted code to be executed upon a successful request by a
malicious user. If a dynamic script with multiple extensions such as
file.php.pps or file.sh.txt is uploaded and then accessed from a web browser
under certain common Apache configurations, it will cause the script inside to
be executed. We deemed this exploit critical and released Drupal 4.6.7 and
4.7.1 six hours after the report was filed. The fix was to create a .htaccess
file to remove /all/ dynamic script handlers, such as PHP, from the "files"
directory.

After continuous review, however, we've found that the fix will not work in
certain Apache configurations, for example those for whom .htaccess FileInfo
overrides are disabled. We are thus releasing 4.6.8 and 4.7.2 with a more
robust .htaccess fix, as well as a Drupal core solution to the issue which will
work under all configurations. The new behavior of Drupal's upload.module is to
rename all uploaded files with multiple, non-numeric, and non-whitelisted
extensions by any other user than the administrator. For example:

file.php.pps
this is a long file.name.txt

becomes:

file.php_.pps
this is a long file.name_.txt

*Please note that the particular Apache configurations under which this exploit
is possible will affect ANY web application on the server which allows uploads
to web-accessible directories, not just Drupal.* The Drupal security team has
also contacted other projects, such as WordPress, about this issue and new
versions of their software have either already been released, or are
forthcoming.

4.7.2 also fixes a potential XSS bug with upload.module.

------------VERSIONS AFFECTED------------

- All Drupal versions before 4.6.8 and before Drupal 4.7.2.

------------SOLUTION------------

If you are running Drupal 4.6.x then upgrade to Drupal 4.6.8
[http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.8.tar.gz].
If you are running Drupal 4.7.x then upgrade to Drupal 4.7.2
[http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.2.tar.gz].
To patch Drupal 4.6.7 use the http://drupal.org/files/sa-2006-007/4.6.7.patch
[http://drupal.org//files/sa-2006-007/4.6.7.patch].
To patch Drupal 4.7.1 use the http://drupal.org/files/sa-2006-007/4.7.1.patch
[http://drupal.org//files/sa-2006-007/4.7.1.patch].

------------REPORTED BY------------

DRUPAL-SA-2006-06 issue: Lourens Veen
XSS vulnerability in upload.module: Karoly Negyesi

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or
using the form at [http://drupal.org/contact].





Tags added: fixed Request was from sesse@debian.org (Steinar H. Gunderson) to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: fixed Request was from "Steinar H. Gunderson" <sgunderson@bigfoot.com> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 4.5.8-1.1, send any further explanations to Kevin Dalley <kevin@kelphead.org> Request was from "Steinar H. Gunderson" <sgunderson@bigfoot.com> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: fixed Request was from "Steinar H. Gunderson" <sgunderson@bigfoot.com> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 4.5.8-1.1, send any further explanations to Kevin Dalley <kevin@kelphead.org> Request was from "Steinar H. Gunderson" <sgunderson@bigfoot.com> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Kevin Dalley <kevin@kelphead.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #25 received at 368835-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 368835-close@bugs.debian.org
Subject: Bug#368835: fixed in drupal 4.5.8-2
Date: Wed, 09 Aug 2006 09:02:20 -0700
Source: drupal
Source-Version: 4.5.8-2

We believe that the bug you reported is fixed in the latest version of
drupal, which is due to be installed in the Debian FTP archive:

drupal_4.5.8-2.diff.gz
  to pool/main/d/drupal/drupal_4.5.8-2.diff.gz
drupal_4.5.8-2.dsc
  to pool/main/d/drupal/drupal_4.5.8-2.dsc
drupal_4.5.8-2_all.deb
  to pool/main/d/drupal/drupal_4.5.8-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 368835@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated drupal package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed,  9 Aug 2006 17:46:45 +0200
Source: drupal
Binary: drupal
Architecture: source all
Version: 4.5.8-2
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 drupal     - fully-featured content management/discussion engine
Closes: 368835 382087
Changes: 
 drupal (4.5.8-2) unstable; urgency=high
 .
   * QA Upload for orphaned package.
     High urgency for security fix.
 .
   * CVE-2006-4002: drupal XSS vulnerability (Closes: #382087).
     Apply upstream patch.
   * Setting maintainer to Debian QA Group.
   * Move debhelper to Build-Depends since used in clean target.
   * Acknowledging changes from NMU by Steiner Gunderson, thanks!
 .
 drupal (4.5.8-1.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Backport changes from 4.6.6 -> 4.6.8 to fix security issues:
     - DRUPAL-SA-2006-005/CVE-2006-2742: fixes critical SQL issue
     - DRUPAL-SA-2006-006/CVE-2006-2743: fixes critical upload issue
     - DRUPAL-SA-2006-007/CVE-2006-2832: fixes critical upload issue (Closes: #368835)
     - DRUPAL-SA-2006-008/CVE-2006-2833: fixes taxonomy XSS issue
Files: 
 7a3a88e0ae9d7dd9a80da82c5e5da624 563 web extra drupal_4.5.8-2.dsc
 29b8b465222b6b5a3f134e917ab690e8 49993 web extra drupal_4.5.8-2.diff.gz
 5d5252f6f3bf9442fa479b8c39a628de 489646 web extra drupal_4.5.8-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE2gUhJdKMxZV9WM8RAjVKAKDPEWcOgdisjE1O2dnwr6df5ulyOwCfVwuH
pJYf12Ak7XdDtvOGurnFSNA=
=ZmlC
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 05:10:59 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 09:56:03 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.