• IDP Daily Update #1253
  posted: 09/04/08
  
• NSM Daily Update #1253
  posted: 09/04/08
  
• Deep Inspection 5.3r5 and above, 5.4, 6.0 #1253
  posted: 09/04/08
  
• Deep Inspection 5.1, 5.2, 5.3r4 and below #1252
  posted: 09/04/08
  
• Deep Inspection 5.0 #1132
  posted: 04/01/08
  
• Antivirus
  posted: 09/04/08

Text Size:        

• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Drupal Arbitrary PHP Code Execution Vulnerability

Severity: HIGH

Description:

Drupal is an open-source content management system. Drupal is available for a number of platforms including Microsoft Windows operating systems and Unix/Linux variants.

Drupal is prone to a vulnerability that permits the execution of arbitrary PHP code. This issue is due to a failure in the application to properly sanitize user-supplied input.

The problem presents itself in 'comments' and 'postings'; the application's filter mechanism fails to properly sanitize those fields. An attacker can supply arbitrary code to those fields and have it executed in the context of the Web server process.

The vendor has addressed this issue in Drupal versions 4.6.2 and 4.5.4; earlier versions are reported vulnerable.

Affected Products:

• Debian Linux 3.1.0
• Debian Linux 3.1.0 alpha
• Debian Linux 3.1.0 arm
• Debian Linux 3.1.0 hppa
• Debian Linux 3.1.0 ia-32
• Debian Linux 3.1.0 ia-64
• Debian Linux 3.1.0 m68k
• Debian Linux 3.1.0 mips
• Debian Linux 3.1.0 mipsel
• Debian Linux 3.1.0 ppc
• Debian Linux 3.1.0 s/390
• Debian Linux 3.1.0 sparc
• Drupal Drupal 4.5.0
• Drupal Drupal 4.5.1
• Drupal Drupal 4.5.2
• Drupal Drupal 4.5.2
• Drupal Drupal 4.5.3
• Drupal Drupal 4.6.0
• Drupal Drupal 4.6.1

References:

• Drupal: Drupal 4.6.2 and 4.5.4 released
• Drupal: Vendor Homepage