Scoutnet vzw http://forum.scoutnet.be/ |
|
[Drupal] Security announcements: HTTP response splitting http://forum.scoutnet.be/viewtopic.php?f=19&t=1975 |
Pagina 1 van 1 |
Auteur: | To [ 20 Okt 2007 13:13 ] |
Titel: | [Drupal] Security announcements: HTTP response splitting |
------------SA-2007-024 - DRUPAL CORE - HTTP RESPONSE SPLITTING ------------ * Advisory ID: DRUPAL-SA-2007-024 * Project: Drupal core * Version: 4.7.x, 5.x * Date: 2007-October-17 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: HTTP response splitting ------------DESCRIPTION------------ In some circumstances Drupal allows user-supplied data to become part of response headers. As this user-supplied data is not always properly escaped, this can be exploited by malicious users to execute HTTP response splitting attacks which may lead to a variety of issues, among them cache poisoning, cross-user defacement and injection of arbitrary code. ------------VERSIONS AFFECTED------------ * Drupal 4.7.x before version 4.7.8. * Drupal 5.x before version 5.3. ------------SOLUTION------------ Install the latest version: * If you are running Drupal 4.7.x then upgrade to Drupal 4.7.8 [ http://ftp.drupal.org/files/projects/dr ... 7.8.tar.gz ]. * If you are running Drupal 5.x then upgrade to Drupal 5.3 [ http://ftp.drupal.org/files/projects/drupal-5.3.tar.gz ]. If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. * To patch Drupal 4.7.7 use SA-2007-024-4.7.7.patch [ http://drupal.org/files/sa-2007-024/SA- ... .7.7.patch ]. * To patch Drupal 5.2 use SA-2007-024-5.2.patch [ http://drupal.org/files/sa-2007-024/SA- ... -5.2.patch ]. ------------REPORTED BY------------ The Drupal security team. ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ]. |
Pagina 1 van 1 | Alle tijden zijn UTC + 1 uur |
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |