Scoutnet vzw http://forum.scoutnet.be/ |
|
[Drupal] Security announcements: BUEditor - CSRF http://forum.scoutnet.be/viewtopic.php?f=19&t=2049 |
Pagina 1 van 1 |
Auteur: | To [ 12 Jan 2008 12:46 ] |
Titel: | [Drupal] Security announcements: BUEditor - CSRF |
------------SA-2008-003 - BUEDITOR - CSRF------------ * Advisory ID: DRUPAL-SA-2008-003 * Project: BUEditor (third-party module) * Version: 4.7.x, 5.x * Date: 2008-January-10 * Security risk: Not critical * Exploitable from: Remote * Vulnerability: Cross site request forgery ------------DESCRIPTION------------ BUEditor is a plain textarea editor aiming to facilitate code writing. It supports completely customizable interface and button functionality via role-based editors. The Drupal Forms API protects against cross site request forgeries (CSRF), where a malicous site can cause a user to unintentionally submit a form to a site where he is authenticated. The editor deletion form does not follow the standard Forms API submission model and is therefore not protected against this type of attack. A CSRF attack may result in the deletion of custom editor interfaces. ------------VERSIONS AFFECTED------------ * BUEditor for Drupal 4.7.x before BUEditor 4.7.x-1.0 * BUEditor for Drupal 5.x before BUEditor 5.x-1.1 Drupal core is not affected. If you do not use the contributed BUEditor module, there is nothing you need to do. ------------SOLUTION------------ Install the latest version: * If you use Drupal 4.7.x upgrade to BUEditor 4.7.x-1.1 [ http://drupal.org/node/206861 ]. * If you use Drupal 5.x upgrade to BUEditor 5.x-1.1 [ http://drupal.org/node/206858 ]. See also the BUEditor project page [ http://drupal.org/project/bueditor ]. ------------REPORTED BY------------ Stéphane Corlosquet (scor) [ http://drupal.org/user/52142 ]. ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ] |
Pagina 1 van 1 | Alle tijden zijn UTC + 1 uur |
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |