Scoutnet vzw

We connect scouts!
Het is momenteel 28 Mrt 2024 9:43

Alle tijden zijn UTC + 1 uur




Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 
Auteur Bericht
BerichtGeplaatst: 31 Jan 2008 11:47 
Offline
Site Admin
Site Admin

Geregistreerd: 30 Sep 2002 23:00
Berichten: 1806
------------SA-2008-013 - PROJECT ISSUE TRACKING - ARBITRARY FILE
UPLOAD------------

* Advisory ID: DRUPAL-SA-2008-013

* Project: Project issue tracking (third-party module)

* Version: 4.7.x-1.x, 4.7.x-2.x, 5.x-1.x, 5.x-2.x

* Date: 2007-January-30

* Security risk: Highly critical

* Exploitable from: Remote

* Vulnerability: Arbitrary file upload

------------DESCRIPTION------------

The Project issue tracking module has a vulnerability where new issues are not properly validated. If the core Upload module is enabled on issue nodes (the recommended configuration for the 5.x-2.* series), this vulnerability can be used to attach malicious files to new issues, regardless of the allowed list of file extensions. Using these files an attacker can always perform cross site scripting attacks, and depending on the server configuration, they might be able to execute arbitrary code.

Furthermore, the Project issue tracking module (in all versions prior to
5.x-2.0) provides its own file upload mechanism and list of allowed file extensions. This list includes HTML by default. Such files can be used to execute arbitrary script code in the context of the affected site when a user views the file.

Wikipedia has more information about cross site scripting [ http://en.wikipedia.org/wiki/Xss ] (XSS).

------------IMPORTANT NOTE: CONFIGURATION CHANGE NEEDED------------

Installing the new version will not remove the .html extensions from an already configured Project issue tracking module. Visit Administer » Project administration » Project issue settings (admin/project/project-issue-settings)
on Drupal 5.x or administer » settings » project_issue
(admin/settings/project_issue) on Drupal 4.7.x to remove html from the allowed extensions lists.

The steps above will stop malicious files from being uploaded, but will do nothing to protect your site against files that have already been uploaded. Make sure to carefully inspect the file system path and check for files with extensions that should be forbidden. We recommend you remove any HTML file you did not upload yourself. You should look for script tags, CSS includes, Javascript includes, and onerror="" attributes if you need to review files individually.

------------VERSIONS AFFECTED------------

Project issue tracking (project_issue) versions:

* 5.x-2.x-dev from before 2008-01-30

* 5.x-1.2 and earlier

* 4.7.x-2.6 and earlier

* 4.7.x-1.6 and earlier

Drupal core is not affected. If you do not use the contributed Project issue tracking module, there is nothing you need to do.

------------SOLUTION------------

Install the latest version:

* Project issue tracking 5.x-2.0 [ http://drupal.org/node/216121 ]

* Project issue tracking 5.x-1.3 [ http://drupal.org/node/216120 ]

* Project issue tracking 4.7.x-2.7 [ http://drupal.org/node/216119 ]

* Project issue tracking 4.7.x-1.7 [ http://drupal.org/node/216118 ]

See also the Project issue tracking project page [ http://drupal.org/project/project_issue ].

------------REPORTED BY------------

Derek Wright [ http://drupal.org/user/46549 ] of the Drupal Security Team.

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ].


Omhoog
 Profiel  
 
Berichten weergeven van de afgelopen:  Sorteer op  
Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 

Alle tijden zijn UTC + 1 uur


Wie is er online?

Gebruikers in dit forum: Geen geregistreerde gebruikers en 9 gasten


U mag geen nieuwe onderwerpen plaatsen in dit forum
U mag geen reacties plaatsen op onderwerpen in dit forum
U mag uw berichten niet wijzigen in dit forum
U mag uw berichten niet verwijderen in dit forum
U mag geen bijlagen plaatsen in dit forum

Zoeken naar:
Ga naar:  
cron
Powered by phpBB® Forum Software © phpBB Group
Vertaald door phpBBservice.nl.