Scoutnet vzw
http://forum.scoutnet.be/

[Drupal] Security announcements: Ubercart XSS
http://forum.scoutnet.be/viewtopic.php?f=19&t=2087
Pagina 1 van 1

Auteur:  To [ 12 Mrt 2008 22:50 ]
Titel:  [Drupal] Security announcements: Ubercart XSS

------------SA-2008-020 - UBERCART - CROSS SITE SCRIPTING------------

* Advisory ID: DRUPAL-SA-2008-020
* Project: Ubercart (third-party module)
* Version: 5.x
* Date: 2008-March-12
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting

------------DESCRIPTION------------

The attribute module allows customers to enter a text value as an attribute for a product, like a name to stitch into a hat. However, when these text values were displayed in the shopping cart or on order pages, there was a possibility for a malicious user to perform a cross site scripting attack.

All users are encouraged to update to the latest version, but this notice specifically applies to users who have installed the core attribute module and allow customers to enter custom text for attributes on products in their stores.

------------VERSIONS AFFECTED------------

* Ubercart for Drupal 5.x prior to 5.x-1.0-beta7

Drupal core is not affected. If you do not use the contributed Ubercart module, there is nothing you need to do.

------------SOLUTION------------

Install the latest version:

* If you use Drupal 5.x install Ubercart 5.x-1.0-beta7 [ http://drupal.org/node/232545 ].

See also the Ubercart project page [ http://drupal.org/project/ubercart ].

------------REPORTED BY------------

j_ten_man [ http://www.ubercart.org/user/1652 ] reported an issue in the Ubercart forums related to this problem that an Ubercart developer was able to diagnose and fix immediately.

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ].

Pagina 1 van 1 Alle tijden zijn UTC + 1 uur
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/