Scoutnet vzw

We connect scouts!
Het is momenteel 28 Mrt 2024 15:39

Alle tijden zijn UTC + 1 uur




Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 
Auteur Bericht
BerichtGeplaatst: 20 Okt 2007 13:18 
Offline
Site Admin
Site Admin
Gebruikers-avatar

Geregistreerd: 17 Jul 2002 23:00
Berichten: 1522
Woonplaats: Wetteren
------------SA-2007-027 - TOKEN - CROSS SITE SCRIPTING ------------

* Advisory ID: DRUPAL-SA-2007-027
* Project: Several Modules That Use Token module
* Version: 5.x
* Date: 2007-October-17
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting

------------DESCRIPTION------------

Several server variables are not escaped consistently. When a malicious user is able to enter comments and then entice a victim to visit a webpage, arbitraryHTML and script code can be injected and executed in the context of the victim'ssession on the targeted website.

For example, a malicious user with the 'post comments' or 'post comments without approval' permission would be able to inject arbitrary HTML and script code on the website. If the site uses the Token module to display that text in an HTML page on the site the malicious user can execute arbitrary HTML and script code on the website. Because the Token module provides a centralized API, several modules are impacted by this issue. The module may not be insecure on its own, but only when combined with another module or theme that uses it.

Other affected areas are vocabulary names, term names, and usernames.

Disabling the affected module provides an immediate workaround.

Wikipedia has more information about cross site scripting [ http://en.wikipedia.org/wiki/Xss ] (XSS).

------------VERSIONS AFFECTED------------

* ASIN Field Module 5.x before version 5.x-1.4 [ http://drupal.org/node/181903 ]
* e-Commerce Module 4.7.x-3.x before version 4.7.x-3.4 [ http://drupal.org/node/184325 ]
* e-Commerce Module 5.x-3.x before version 5.x-3.4 [ http://drupal.org/node/184322 ]
* e-Commerce Module 5.x-4.x-beta before version 5.x-4.0-alpha5 [ http://drupal.org/node/181681 ]
* Fullname field for CCK Module 5.x before version 5.x-1.1 [ http://drupal.org/node/183731 ]
* Invite Module 5.x-1.8+ before version 5.x-1.12 [ http://drupal.org/node/184334 ]
* Node Relativity Module 5.x-2.1 before version 5.x-2.2 [ http://drupal.org/node/180401 ]
* Pathauto Module 5.x-2.x before version 5.x-2.0-beta4 [ http://drupal.org/node/184264 ]
* PayPal Node Module 5.x before version 5.x-1.1 [ http://drupal.org/node/182933 ]
* Token Module 4.7.x before version 4.7.x-1.5 [ http://drupal.org/node/184257 ]
* Token Module 5.x before version 5.x-1.9 [ http://drupal.org/node/184256 ]
* Ubercart Module 5.x before version 5.x-1.0-alpha7e [ http://drupal.org/node/180803 ]

------------SOLUTION------------

Upgrade to the latest version of Token module, and if you are running an earlier version of a module listed above upgrade that as well:

* If you are running Drupal 4.7.x then upgrade to Token 4.7.x-1.5 [ http://drupal.org/node/184257 ].
* If you are running Drupal 5.x then upgrade to Token 5.x-1.9 [ http://drupal.org/node/184256 ].
* If you are running any of the other modules from the list above upgrade to the version specified in the list.

------------IMPORTANT NOTE------------

If you are the author of a module which depends on the Token module please read the API.txt file included with the token module for important information about how to deal with raw tokens.

------------REPORTED BY------------

Greg Knaddison (greggles [ http://drupal.org/user/36762 ]) of the Drupal security team.

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ].


Omhoog
 Profiel  
 
Berichten weergeven van de afgelopen:  Sorteer op  
Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 

Alle tijden zijn UTC + 1 uur


Wie is er online?

Gebruikers in dit forum: Geen geregistreerde gebruikers en 9 gasten


U mag geen nieuwe onderwerpen plaatsen in dit forum
U mag geen reacties plaatsen op onderwerpen in dit forum
U mag uw berichten niet wijzigen in dit forum
U mag uw berichten niet verwijderen in dit forum
U mag geen bijlagen plaatsen in dit forum

Zoeken naar:
Ga naar:  
Powered by phpBB® Forum Software © phpBB Group
Vertaald door phpBBservice.nl.