- Advisory ID: DRUPAL-SA-CORE-2014-003
- Project: Drupal core
- Version: 6.x, 7.x
- Date: 2014-July-16
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities
Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.
Denial of service with malicious HTTP Host header (Base system - Drupal 6 and 7 - Critical)
Drupal core's multisite feature dynamically determines which configuration file to use based on the HTTP Host header.
The HTTP Host header validation does not sufficiently check maliciously-crafted header values, thereby exposing a denial of service vulnerability. This vulnerability also affects sites that don't actually use the multisite feature.
Access bypass (File module - Drupal 7 - Critical)
The File module included in Drupal 7 core allows attaching files to pieces of content. The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files.
This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field.
Note: The Drupal 6 FileField module is affected by a similar issue (see SA-CONTRIB-2014-071 - FileField - Access bypass) and requires an update to the current security release of Drupal 6 core in order for the fix released there to work correctly. However, Drupal 6 core itself is not directly affected.
Cross-site scripting (Form API option groups - Drupal 6 and 7 - Moderately critical)
A cross-site scripting vulnerability was found due to Drupal's form API failing to sanitize option group labels in select elements. This vulnerability affects Drupal 6 core directly, and likely affects Drupal 7 forms provided by contributed or custom modules.
This vulnerability is mitigated by the fact that it requires the "administer taxonomy" permission to exploit in Drupal 6 core, and there is no known exploit within Drupal 7 core itself.
Cross-site scripting (Ajax system - Drupal 7 - Moderately critical)
A reflected cross-site scripting vulnerability was found in certain forms containing a combination of an Ajax-enabled textfield (for example, an autocomplete field) and a file field.
This vulnerability is mitigated by the fact that an attacker can only trigger the attack in a limited set of circumstances, usually requiring custom or contributed modules.
CVE identifier(s) issued
- Denial of service (Base system - Drupal 6 and 7 - Critical): CVE-2014-5019
- Access bypass (File module - Drupal 7 - Critical): CVE-2014-5020
- Cross-site scripting (Form API - Drupal 6 and 7 - Moderately critical): CVE-2014-5021
- Cross-site scripting (Ajax system - Drupal 7 - Moderately critical): CVE-2014-5022
- Drupal core 6.x versions prior to 6.32.
- Drupal core 7.x versions prior to 7.29.
Install the latest version:
- If you use Drupal 6.x, upgrade to Drupal core 6.32.
- If you use Drupal 7.x, upgrade to Drupal core 7.29.
Also see the Drupal core project page.
- The denial of service vulnerability using malicious HTTP Host headers was reported by Régis Leroy.
- The access bypass vulnerability in the File module was reported by Ivan Ch.
- The cross-site scripting vulnerability with Form API option groups was reported by Károly Négyesi.
- The cross-site scripting vulnerability in the Ajax system was reported by mani22test.
- The denial of service vulnerability using malicious HTTP Host headers was fixed by Régis Leroy, and by Klaus Purer of the Drupal Security Team.
- The access bypass vulnerability in the File module was fixed by Nate Haug and Ivan Ch, and by Drupal Security Team members David Rothstein, Heine Deelstra and David Snopek.
- The cross-site scripting vulnerability with Form API option groups was fixed by Greg Knaddison of the Drupal Security Team.
- The cross-site scripting vulnerability in the Ajax system was fixed by Neil Drumm of the Drupal Security Team.
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity