Scoutnet vzw http://forum.scoutnet.be/ |
|
[Drupal] Security announcements: Drupal core - XSS forgery http://forum.scoutnet.be/viewtopic.php?f=19&t=2051 |
Pagina 1 van 1 |
Auteur: | To [ 12 Jan 2008 12:48 ] |
Titel: | [Drupal] Security announcements: Drupal core - XSS forgery |
------------SA-2008-005 - DRUPAL CORE - CROSS SITE REQUEST FORGERY------------ * Advisory ID: DRUPAL-SA-2008-005 * Project: Drupal core * Version: 4.7.x, 5.x * Date: 2008-January-10 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross site request forgery ------------DESCRIPTION------------ The aggregator module fetches items from RSS feeds and makes them available on the site. The module provides an option to remove items from a particular feed. This has been implemented as a simple GET request and is therefore vulnerable to cross site request forgeries. For example: Should a privileged user view a page containing an tag with a specially constructed src pointing to a remove items URL, the items would be removed. ------------VERSIONS AFFECTED------------ * Drupal 4.7.x before version 4.7.11. * Drupal 5.x before version 5.6. ------------SOLUTION------------ Install the latest version: * If you are running Drupal 4.7.x then upgrade to Drupal 4.7.11 [ http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz ]. * If you are running Drupal 5.x then upgrade to Drupal 5.6 [ http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz ]. If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. * To patch Drupal 4.7.10 use SA-2008-005-4.7.10.patch [ http://drupal.org/files/sa-2008-005/SA-2008-005-4.7.10.patch ]. * To patch Drupal 5.5 use SA-2008-005-5.5.patch [ http://drupal.org/files/sa-2008-005/SA-2008-005-5.5.patch ]. ------------REPORTED BY------------ The Drupal security team. ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ]. |
Pagina 1 van 1 | Alle tijden zijn UTC + 1 uur |
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |