Scoutnet vzw

We connect scouts!
Het is momenteel 26 Apr 2024 8:16

Bekijk onbeantwoorde berichten | Bekijk actieve onderwerpen


Forumindex » Support » Open source scripts

Alle tijden zijn UTC + 1 uur




Plaats een nieuw onderwerp Reageren op dit onderwerp  Pagina 1 van 1
  [ 1 bericht ] 
  Afdrukweergave Vorige onderwerp | Volgende onderwerp 
Auteur Bericht
To
BerichtGeplaatst: 18 Dec 2006 11:39 
Offline
Site Admin
Site Admin
Gebruikers-avatar

Geregistreerd: 17 Jul 2002 23:00
Berichten: 1522
Woonplaats: Wetteren
------------PROJECT AND PROJECT ISSUE TRACKING XSS------------

* Advisory ID: DRUPAL-SA-2006-031.
* Project: Project and Project issue tracking (third party modules).
* Date: 2006-Dec-18.
* Security risk: Less critical.
* Exploitable from: Remote.
* Vulnerability: Cross site scripting.

------------DESCRIPTION------------

Several fields are not passed through check_plain() on display. A malicious user could use these fields to insert and execute XSS (Cross Site Scripting).
This may lead to administrator access if certain conditions are met.
Additionally, certain error messages are generated that include potentially malicious data without filtering.
Learn more about XSS on Wikipedia [http://en.wikipedia.org/wiki/Cross_site_scripting].

Revoking the "access projects" permission provides an immediate workaround.

------------VERSIONS AFFECTED------------

* Project issue tracking 4.7.x-2.0
* Project issue tracking 4.7.x-1.0
* Project 4.7.x-2.0
* Project 4.7.x-1.0
* Project 4.6.x-1.0
* Project issue tracking 4.7.0 (from before the new release system)
* Project 4.7.0 (from before the new release system)
* Project 4.6.0 (from before the new release system)

Note that in 4.6.x, Project issue tracking is included as part of the Project module.

Drupal core is not affected. If you do not use the contributed Project and/or Project issue tracking modules, there is nothing you need to do.

------------SOLUTION------------

Install the latest versions:

* Project issue tracking 4.7.x-2.1 [http://drupal.org/node/103953].
* Project issue tracking 4.7.x-1.1 [http://drupal.org/node/103952].
* Project 4.7.x-2.1 [http://drupal.org/node/103951].
* Project 4.7.x-1.1 [http://drupal.org/node/103950].
* Project 4.6.x-1.1 [http://drupal.org/node/103949].

If you are using a version of Project and/or Project issue tracking from before the new release system (4.7.0), upgrade to 4.7.x-1.1.

See also the Project [http://drupal.org/project/project] and Project issue tracking [http://drupal.org/project/project_issue] home pages.

------------REPORTED BY------------

Derek Wright (dww) from the Drupal security team.

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via the form at [http://drupal.org/contact].
Omhoog
 Profiel  
 
Berichten weergeven van de afgelopen:  Sorteer op  
Plaats een nieuw onderwerp Reageren op dit onderwerp  Pagina 1 van 1
  [ 1 bericht ] 

Forumindex » Support » Open source scripts

Alle tijden zijn UTC + 1 uur


Wie is er online?

Gebruikers in dit forum: Geen geregistreerde gebruikers en 4 gasten

U mag geen nieuwe onderwerpen plaatsen in dit forum
U mag geen reacties plaatsen op onderwerpen in dit forum
U mag uw berichten niet wijzigen in dit forum
U mag uw berichten niet verwijderen in dit forum
U mag geen bijlagen plaatsen in dit forum

Zoeken naar:
Ga naar:  
Powered by phpBB® Forum Software © phpBB Group
Vertaald door phpBBservice.nl.