Scoutnet vzw http://forum.scoutnet.be/ |
|
[Drupal] Security announcements: Drupal core - XSS (RG) http://forum.scoutnet.be/viewtopic.php?f=19&t=2053 |
Pagina 1 van 1 |
Auteur: | To [ 12 Jan 2008 12:50 ] |
Titel: | [Drupal] Security announcements: Drupal core - XSS (RG) |
------------SA-2008-007 - DRUPAL CORE - CROSS SITE SCRIPTING (REGISTER_GLOBALS)------------ * Advisory ID: DRUPAL-SA-2008-007 * Project: Drupal core * Version: 4.7.x, 5.x * Date: 2008-January-10 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross site scripting when register_globals is enabled. ------------DESCRIPTION------------ When theme .tpl.php files are accessible via the web and the PHP setting register_globals is set to enabled, anonymous users are able to execute cross site scripting attacks via specially crafted links. Drupals .htaccess attempts to set register_globals to disabled and also prevents access to .tpl.php files. Only when both these measures are not effective and your PHP interpreter is configured with register_globals set to enabled, will this issue affect you. ------------VERSIONS AFFECTED------------ * Drupal 4.7.x * Drupal 5.x ------------SOLUTIONS------------ * Disable register_globals. Please refer to the PHP documentation [ http://www.php.net/configuration.changes ] on information how to configure PHP. * Ensure .tpl.php files are not accessible via the web. Drupal 4.7.11 and 5.6 will present a warning on the administration page when register_globals is enabled. Drupal 5.6 will refuse installation on an insecurely configured server. Existing sites will continue to work. ------------REPORTED BY------------ Ultra Security Research. ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ]. |
Pagina 1 van 1 | Alle tijden zijn UTC + 1 uur |
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |