Scoutnet vzw

We connect scouts!
Het is momenteel 28 Mrt 2024 11:45

Alle tijden zijn UTC + 1 uur




Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 
Auteur Bericht
BerichtGeplaatst: 12 Apr 2007 1:08 
Offline
Site Admin
Site Admin
Gebruikers-avatar

Geregistreerd: 17 Jul 2002 23:00
Berichten: 1522
Woonplaats: Wetteren
------------MULTIPLE VULNERABILITIES IN DATABASE ADMINISTRATION (DBA) MODULE------------

* Advisory ID: DRUPAL-SA-2007-013.
* Project: Database Administration (third-party module).
* Version: 4.6.x-1.*, 4.7.x-1.*.
* Date: 2007-April-11.
* Security risk: Critical.
* Exploitable from: Remote.
* Vulnerability: Cross site scripting and cross site request forgery.

------------DESCRIPTION------------

The Database Administration (dba) module allows site administrators with sufficient privileges to view and directly modify the Drupal database tables for a site. Numerous cross-site scripting (XSS) vulnerabilities were discovered when the administrator runs queries to display data from the database, and in other parts of the user interface. Learn more about XSS on Wikipedia [http://en.wikipedia.org/wiki/Cross_site_scripting].

Additionally, the module was never fully ported to the Drupal Form API, so there were places in the code that were still vulnerable to cross-site request forgery (CSRF) attacks. See DRUPAL-SA-2006-025 [http://drupal.org//node/88828] for more information.

Disabling the Database administration module provides an immediate workaround.

------------VERSIONS AFFECTED------------

* Database administration (dba) 4.7.x-1.* before version 4.7.x-1.2.
* All versions of dba.module 4.6.x-*.

Drupal core is not affected. If you do not use the contributed Database administration module, there is nothing you need to do.

------------SOLUTION------------

* If your site is running 4.7.x, install the latest version: Database administration 4.7.x-1.2 [http://drupal.org//node/135552].
* If your site is running 4.6.x, you should disable the dba.module. This version is no longer supported and the currently released 4.6.x versions are insecure.

Reported by:

* XSS by Derek Wright (dww [http://drupal.org/user/46549]) of the Drupal Security Team.
* CSRF by Heine Deelstra (Heine [http://drupal.org/user/17943]) of the Drupal Security Team.

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via the form at [http://drupal.org/contact].


Omhoog
 Profiel  
 
Berichten weergeven van de afgelopen:  Sorteer op  
Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 

Alle tijden zijn UTC + 1 uur


Wie is er online?

Gebruikers in dit forum: Geen geregistreerde gebruikers en 8 gasten


U mag geen nieuwe onderwerpen plaatsen in dit forum
U mag geen reacties plaatsen op onderwerpen in dit forum
U mag uw berichten niet wijzigen in dit forum
U mag uw berichten niet verwijderen in dit forum
U mag geen bijlagen plaatsen in dit forum

Zoeken naar:
Ga naar:  
cron
Powered by phpBB® Forum Software © phpBB Group
Vertaald door phpBBservice.nl.