Scoutnet vzw

We connect scouts!
Het is momenteel 29 Mrt 2024 16:03

Alle tijden zijn UTC + 1 uur




Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 
Auteur Bericht
BerichtGeplaatst: 20 Okt 2007 13:16 
Offline
Site Admin
Site Admin
Gebruikers-avatar

Geregistreerd: 17 Jul 2002 23:00
Berichten: 1522
Woonplaats: Wetteren
------------SA-2007-026 - DRUPAL CORE - CROSS SITE SCRIPTING VIA UPLOADS------------

* Advisory ID: DRUPAL-SA-2007-026
* Project: Drupal core
* Version: 4.7.x, 5.x
* Date: 2007-October-17
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting

------------DESCRIPTION------------

The allowed extension list of the core Upload module contains the extension HTML by default. Such files can be used to execute arbitrary script code in the context of the affected site when a user views the file.

Revoking upload permissions or removing the .html extension from the allowed extension list will stop uploads of malicious files. but will do nothing to protect your site against files that are already present. Carefully inspect the file system path for any HTML files. We recommend you remove any HTML file you did not update yourself. You should look for , CSS includes, Javascript includes, and onerror="" attributes if you need to review files individually.

Wikipedia has more information about cross site scripting [ http://en.wikipedia.org/wiki/Xss ] (XSS).

------------IMPORTANT NOTE: CONFIGURATION CHANGE NEEDED------------

Installing the upgrade or using the patch will not remove the .html extensions from an already configured upload module. Visit Administer » Site Configuration » File uploads (admin/settings/uploads) on Drupal 5.x or administer » settings » upload (admin/settings/upload) on Drupal 4.7.x to remove html from the allowed extensions lists.

The steps above will stop uploads of malicious files, but will do nothing to protect your site against files that have already been uploaded. Make sure to carefully inspect the file system path for any HTML files.

------------VERSIONS AFFECTED------------

* Drupal 4.7.x before version 4.7.8.
* Drupal 5.x before version 5.3.

------------SOLUTION------------

Install the latest version:

* If you are running Drupal 4.7.x then upgrade to Drupal 4.7.8 [ http://ftp.drupal.org/files/projects/dr ... 7.8.tar.gz ].
* If you are running Drupal 5.x then upgrade to Drupal 5.3 [ http://ftp.drupal.org/files/projects/drupal-5.3.tar.gz ].

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

* To patch Drupal 4.7.7 use SA-2007-026-4.7.7.patch [ http://drupal.org/files/sa-2007-026/SA- ... .7.7.patch ].
* To patch Drupal 5.2 use SA-2007-026-5.2.patch [ http://drupal.org/files/sa-2007-026/SA- ... -5.2.patch ].

------------REPORTED BY------------

The Drupal security team.

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ].


Omhoog
 Profiel  
 
Berichten weergeven van de afgelopen:  Sorteer op  
Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 

Alle tijden zijn UTC + 1 uur


Wie is er online?

Gebruikers in dit forum: Geen geregistreerde gebruikers en 14 gasten


U mag geen nieuwe onderwerpen plaatsen in dit forum
U mag geen reacties plaatsen op onderwerpen in dit forum
U mag uw berichten niet wijzigen in dit forum
U mag uw berichten niet verwijderen in dit forum
U mag geen bijlagen plaatsen in dit forum

Zoeken naar:
Ga naar:  
cron
Powered by phpBB® Forum Software © phpBB Group
Vertaald door phpBBservice.nl.