Scoutnet vzw

We connect scouts!
Het is momenteel 29 Mrt 2024 12:41

Alle tijden zijn UTC + 1 uur




Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 
Auteur Bericht
BerichtGeplaatst: 31 Jan 2008 11:48 
Offline
Site Admin
Site Admin

Geregistreerd: 30 Sep 2002 23:00
Berichten: 1806
------------SA-2008-014 - USERPOINTS - CROSS SITE REQUEST FORGERY------------

* Advisory ID: DRUPAL-SA-2008-014

* Project: Userpoints (third-party module)

* Version: 4.7.x, 5.x-2.x, 5.x-3.x

* Date: 2008-January-30

* Security risk: Not critical

* Exploitable from: Remote

* Vulnerability: Cross site request forgery

------------DESCRIPTION------------

Userpoints is a system for keeping track of points earned on a site. It can be used to reward users for contributions to a community and also for ecommerce transactions.

The Drupal Forms API protects against cross site request forgeries (CSRF), where a malicious site can cause a user to unintentionally submit a form to another site where they are authenticated. The point moderation form does not follow the standard Forms API submission model and is therefore not protected against this type of attack. A CSRF attack may result in the acceptance or decline of points which were in moderation.

------------VERSIONS AFFECTED------------

* Userpoints for Drupal 4.7.x before Userpoints 4.7.x-2.3

* Userpoints for Drupal 5.x before Userpoints 5.x-3.3 or 5.x-2.16

Drupal core is not affected. If you do not use the contributed Userpoints module, there is nothing you need to do.

------------SOLUTION------------

Install the latest version:

* If you currently use Userpoints 4.7.x-2.x upgrade to Userpoints 4.7.x-2.3 [ http://drupal.org/node/216028 ].

* If you currently use Userpoints 5.x-2.x upgrade to Userpoints 5.x-2.16 [ http://drupal.org/node/216027 ].

* If you currently use Userpoints 5.x-3.x upgrade to Userpoints 5.x-3.3 [ http://drupal.org/node/216026 ].

See also the User points project page [ http://drupal.org/project/userpoints ].


------------REPORTED BY------------

Greg Knaddison (greggles) [ http://drupal.org/user/36762 ] of the Drupal Security Team.

------------CONTACT------------

The security contact for Drupal can be reached via email at security at drupal.org or via the form at [ http://drupal.org/contact ].


Omhoog
 Profiel  
 
Berichten weergeven van de afgelopen:  Sorteer op  
Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 

Alle tijden zijn UTC + 1 uur


Wie is er online?

Gebruikers in dit forum: Geen geregistreerde gebruikers en 11 gasten


U mag geen nieuwe onderwerpen plaatsen in dit forum
U mag geen reacties plaatsen op onderwerpen in dit forum
U mag uw berichten niet wijzigen in dit forum
U mag uw berichten niet verwijderen in dit forum
U mag geen bijlagen plaatsen in dit forum

Zoeken naar:
Ga naar:  
cron
Powered by phpBB® Forum Software © phpBB Group
Vertaald door phpBBservice.nl.