By email from friend Mitch, I found out that there's a "new" drupal exploit which allows posters to inject arbitrary code into the system for execution on the server -by way of comments. The Drupal.org site is presently down, and apparently has been last night.
If you're running Drupal 4.5.1 or 4.6.2, turn off your comments. For visitors here, I'm sorry that you presently cannot comment and I'll turn them back on as soon as possible.
The exploit, for those curious, can be found here: http://www.milw0rm.com/id.php?id=1088
From Mitch:
I've gleened a little bit about how it works but haven't figured out the exact fix yet. The bug is in comment posting. It POSTs an input "format" type of "2" (PHP code) and it puts some php code in the comment body that executes system() with whatever command you like. I haven't tested the exact sequence from that point on. It looks like drupal checks the format type to make sure you're authorized but in the end it may execute it anyway via comment_preview().
If this is the way it works (Mitch is usually right) then disabling PHP posting by users *might* do the trick. But if you value your Drupal website, maybe it's better to turn off the comments module until there is a fix.
Having just gotten this information, I'm only beginning to look at it. When the Drupal.org site is back up we'll know much more.
Technorati Tags: 
Post new comment