Scoutnet vzw :: Bekijk onderwerp - [Drupal] Security announcements: Drupal core

Scoutnet vzw http://forum.scoutnet.be/

[Drupal] Security announcements: Drupal core - XSS forgery http://forum.scoutnet.be/viewtopic.php?f=19&t=2051	Pagina 1 van 1

Auteur:	To [ 12 Jan 2008 12:48 ]
Titel:	[Drupal] Security announcements: Drupal core - XSS forgery
------------SA-2008-005 - DRUPAL CORE - CROSS SITE REQUEST FORGERY------------ * Advisory ID: DRUPAL-SA-2008-005 * Project: Drupal core * Version: 4.7.x, 5.x * Date: 2008-January-10 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross site request forgery ------------DESCRIPTION------------ The aggregator module fetches items from RSS feeds and makes them available on the site. The module provides an option to remove items from a particular feed. This has been implemented as a simple GET request and is therefore vulnerable to cross site request forgeries. For example: Should a privileged user view a page containing an tag with a specially constructed src pointing to a remove items URL, the items would be removed. ------------VERSIONS AFFECTED------------ * Drupal 4.7.x before version 4.7.11. * Drupal 5.x before version 5.6. ------------SOLUTION------------ Install the latest version: * If you are running Drupal 4.7.x then upgrade to Drupal 4.7.11 [ http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz ]. * If you are running Drupal 5.x then upgrade to Drupal 5.6 [ http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz ]. If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. * To patch Drupal 4.7.10 use SA-2008-005-4.7.10.patch [ http://drupal.org/files/sa-2008-005/SA-2008-005-4.7.10.patch ]. * To patch Drupal 5.5 use SA-2008-005-5.5.patch [ http://drupal.org/files/sa-2008-005/SA-2008-005-5.5.patch ]. ------------REPORTED BY------------ The Drupal security team. ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ].

Pagina 1 van 1	Alle tijden zijn UTC + 1 uur
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/