Scoutnet vzw

We connect scouts!
Het is momenteel 29 Mrt 2024 11:15

Alle tijden zijn UTC + 1 uur




Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 
Auteur Bericht
BerichtGeplaatst: 01 Aug 2007 21:35 
Offline
Site Admin
Site Admin
Gebruikers-avatar

Geregistreerd: 17 Jul 2002 23:00
Berichten: 1522
Woonplaats: Wetteren
------------DRUPAL CORE - MULTIPLE CROSS SITE SCRIPTING VULNERABILITIES------------

* Advisory ID: DRUPAL-SA-2007-018
* Project: Drupal core
* Version: 4.7.x, 5.x
* Date: 2007-July-26
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Multiple cross site scripting vulnerabilities

------------DESCRIPTION------------

Some server variables are not escaped consistently. When a malicious user is able to entice a victim to visit a specially crafted link or webpage, arbitrary HTML and script code can be injected and executed in the context of the victim's session on the targeted website.

Custom content type names are not escaped consistently. A malicious user with the 'administer content types' permission would be able to inject and execute arbitrary HTML and script code on the website. Revoking the 'administer content types' permission provides an immediate workaround.

Wikipedia has more information about cross site scripting [http://en.wikipedia.org/wiki/Xss] (XSS).

------------VERSIONS AFFECTED------------

* Drupal 4.7.x before version 4.7.7.
* Drupal 5.x before version 5.2.

------------SOLUTION------------

Install the latest version:

* If you are running Drupal 4.7.x then upgrade to Drupal 4.7.7 [http://ftp.drupal.org/files/projects/drupal-4.7.7.tar.gz].
* If you are running Drupal 5.x then upgrade to Drupal 5.2 [http://ftp.drupal.org/files/projects/drupal-5.2.tar.gz].

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.
* To patch Drupal 4.7.6 use SA-2007-018-4.7.6.patch [http://drupal.org/files/sa-2007-018/SA-2007-018-4.7.6.patch].
* To patch Drupal 5.1 use SA-2007-018-5.1.patch [http://drupal.org/files/sa-2007-018/SA-2007-018-5.1.patch].

------------IMPORTANT NOTE------------

settings.php is one of the files containing vulnerable code. It is therefore critical to replace all of your sites' settings.php files in subdirectories of sites with the new one from the archive. After you have replaced the files, make sure to edit the value of the $db_url variable to be identical to the value in your old settings.php. This is the information that determines how Drupal connects to a database.

------------REPORTED BY------------

* The server variables issue was reported by David Caylor.
* Content type naming issues were reported by Karthik.

------------THANKS------------

The security team wishes to thank Dave, Morten Wulff, Brenda Wallace, Fernando Silva, Gerhard Killesreiter, Brandon Bergren, Bart Jansens and Neil Drumm for technical assistance.

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via the form at [http://drupal.org/contact].


Omhoog
 Profiel  
 
Berichten weergeven van de afgelopen:  Sorteer op  
Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 

Alle tijden zijn UTC + 1 uur


Wie is er online?

Gebruikers in dit forum: Geen geregistreerde gebruikers en 14 gasten


U mag geen nieuwe onderwerpen plaatsen in dit forum
U mag geen reacties plaatsen op onderwerpen in dit forum
U mag uw berichten niet wijzigen in dit forum
U mag uw berichten niet verwijderen in dit forum
U mag geen bijlagen plaatsen in dit forum

Zoeken naar:
Ga naar:  
cron
Powered by phpBB® Forum Software © phpBB Group
Vertaald door phpBBservice.nl.