Scoutnet vzw
http://forum.scoutnet.be/

[Drupal] Security announcements: Cross site scripting
http://forum.scoutnet.be/viewtopic.php?f=19&t=2082
Pagina 1 van 1

Auteur:  jorisp [ 28 Feb 2008 0:30 ]
Titel:  [Drupal] Security announcements: Cross site scripting

------------SA-2008-018 - DRUPAL CORE - CROSS SITE SCRIPTING------------

* Advisory ID: DRUPAL-SA-2008-018

* Project: Drupal core

* Version: 6.0

* Date: 2008-February-27

* Security risk: Moderately critical

* Exploitable from: Remote

* Vulnerability: Multiple cross site scripting vulnerabilities

------------DESCRIPTION------------

Titles are not escaped prior to being displayed on content edit forms, allowing users to inject arbitrary HTML and script code into these pages.

The Drupal.checkPlain function, used to escape text in ECMAScript, contains a bug which causes it to escape only the first instance of a character, allowing users to inject arbitrary HTML and script code in certain pages.

Wikipedia has more information about cross site scripting [ http://en.wikipedia.org/wiki/Xss ] (XSS).

------------VERSIONS AFFECTED------------

* Drupal 6.x before version 6.1.

------------SOLUTION------------

Install the latest version:

* Upgrade to Drupal 6.1 [ http://ftp.drupal.org/files/projects/drupal-6.1.tar.gz ].

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

* To patch Drupal 6.0 use SA-2008-018-6.0.patch [ http://drupal.org/files/sa-2008-018/SA- ... -6.0.patch ].

------------REPORTED BY------------

* Steve McKenzie [ http://drupal.org/user/45890 ] discovered the ECMAScript issue

* The Drupal security team

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ].

Pagina 1 van 1 Alle tijden zijn UTC + 1 uur
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/