Scoutnet vzw

We connect scouts!
Het is momenteel 28 Mrt 2024 18:39

Alle tijden zijn UTC + 1 uur




Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 
Auteur Bericht
BerichtGeplaatst: 12 Jan 2008 12:49 
Offline
Site Admin
Site Admin
Gebruikers-avatar

Geregistreerd: 17 Jul 2002 23:00
Berichten: 1522
Woonplaats: Wetteren
------------SA-2008-006 - DRUPAL CORE - CROSS SITE SCRIPTING (UTF8)------------

* Advisory ID: DRUPAL-SA-2008-006
* Project: Drupal core
* Version: 4.7.x, 5.x
* Date: 2008-January-10
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting

------------DESCRIPTION------------

When outputting plaintext Drupal strips potentially dangerous HTML tags and attributes from HTML, and escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.

Certain byte sequences that are invalid in the UTF8 specification are not handled properly by Internet Explorer 6 and may lead it to see a multibyte start character where none is present. Internet Explorer 6 then consumes a number of subsequent UTF-8 characters. This may lead to unsafe attributes that were outside a tag for the filter to appear inside a tag for Internet Explorer 6. This behaviour can then be used to insert and execute javascript in the context of the website.

Wikipedia has more information about cross site scripting [ http://en.wikipedia.org/wiki/Xss ] (XSS).

------------VERSIONS AFFECTED------------

* Drupal 4.7.x before version 4.7.11.
* Drupal 5.x before version 5.6.

------------SOLUTION------------

Install the latest version:

* If you are running Drupal 4.7.x then upgrade to Drupal 4.7.11 [ http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz ].
* If you are running Drupal 5.x then upgrade to Drupal 5.6 [ http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz ].

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

* To patch Drupal 4.7.10 use SA-2008-006-4.7.10.patch [ http://drupal.org/files/sa-2008-006/SA-2008-006-4.7.10.patch ].
* To patch Drupal 5.5 use SA-2008-006-5.5.patch [ http://drupal.org/files/sa-2008-006/SA-2008-006-5.5.patch ].

------------IMPORTANT NOTE------------

Drupal 4.7.11 and 5.6 now require PHP 4.3.5 or higher as the minimum version.

Use of modules that purposely insert bytes that are invalid UTF-8 characters, such as GeSHi Filter [ http://drupal.org//project/geshifilter ] and Code Filter [ http://drupal.org//project/codefilter ] will cause any text using the filter to not be displayed. Disable the modules until a solution has been found.

------------REPORTED BY------------

The vulnerability was discovered during an audit of Drupal core by Stefan Esser, Mayflower GmbH and Zend.

The Drupal security team wants to thank Die Zeit [ http://www.zeit.de/ ], who commissioned the audit, for sharing the results.

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ].


Omhoog
 Profiel  
 
Berichten weergeven van de afgelopen:  Sorteer op  
Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 

Alle tijden zijn UTC + 1 uur


Wie is er online?

Gebruikers in dit forum: Geen geregistreerde gebruikers en 13 gasten


U mag geen nieuwe onderwerpen plaatsen in dit forum
U mag geen reacties plaatsen op onderwerpen in dit forum
U mag uw berichten niet wijzigen in dit forum
U mag uw berichten niet verwijderen in dit forum
U mag geen bijlagen plaatsen in dit forum

Zoeken naar:
Ga naar:  
cron
Powered by phpBB® Forum Software © phpBB Group
Vertaald door phpBBservice.nl.