RDKsoftware and web development

SA-2008-072
The storm project allows users with access to the storm project to enter data that has not been properly sanitized.

Versions Affected

• Drupal 5; anything prior to 5.x-1.14
• Drupal 6; anything prior to 6.x-1.18

SA-2008-073
There is a CSRF int the Drupal core which may allow someone to rerun old updates which will impact the database.
Also note that the robots.txt and .htaccess files have changed and need to be replaced with the new kernel.

Versions Affected

• Drupal 5; anything prior to 5.13
• Drupal 6; anything prior to 6.7

Patches to use

• Drupal 5.12 use SA-2008-073-5.12.patch
• Drupal 6.6 use SA-2008-073-6.6.patch

SA-2008-074
The Service module doesn't sign enough of the information that passes through it and uses an insecure hash for signing a part of the request, allowing for impersonation attacks. In addition the validity of the request does not time out and can therefore be used multiple times, allowing for repeat attacks.

Versions Affected

• Drupal 5; anything prior to 5.x-0.92
• Drupal 6; anything prior to 6.x-0.13

Patches to use

• Drupal 5.12 use SA-2008-073-5.12.patch
• Drupal 6.6 use SA-2008-073-6.6.patch

SA-2008-075
The Views module for Drupal6 is open to an SQL Injection when information from the CCK module is not correctly sanitized which is sometimes the case. Drupal5 is not affected.

Versions Affected

• Drupal 6; anything prior to 6.x-2.2