Scoutnet vzw

We connect scouts!
Het is momenteel 19 Mrt 2024 10:18

Alle tijden zijn UTC + 1 uur




Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 
Auteur Bericht
BerichtGeplaatst: 24 Apr 2008 12:16 
Offline
Site Admin
Site Admin

Geregistreerd: 30 Sep 2002 23:00
Berichten: 1806
------------SA-2008-029 - E-PUBLISH - CROSS SITE SCRIPTING AND CROSS SITE REQUEST FORGERIES------------

* Advisory ID: DRUPAL-SA-2008-029

* Project: E-Publish (third-party module)

* Versions: 5.x and 6.x

* Date: 2008-April-23

* Security risk: Less critical

* Exploitable from: Remote

* Vulnerability: Cross site scripting and Cross site request forgeries

------------DESCRIPTION------------

The contributed module E-Publish helps organize a group of nodes into a publication, such as a newspaper, magazine or newsletter.

The Drupal Forms API protects against Cross Site Request Forgeries (CSRF) [ http://en.wikipedia.org/wiki/CSRF ], where a malicious site can cause a user to unintentionally take actions on another site where they are authenticated. Several forms do not follow the standard Forms API submission model and are therefore not protected against this type of attack. A CSRF attack may result in a topic, section, edition, volume or publication being deleted. This was fixed in E-Publish 5.x-1.0.

Moreover, several values are displayed without being escaped, which enables users to inject arbitrary HTML and script code on pages (Cross Site Scripting [ http://en.wikipedia.org/wiki/Xss ]). This may lead to administrator access.

------------VERSIONS AFFECTED------------

* E-Publish for Drupal 5.x before E-Publish 5.x-1.1

* E-Publish for Drupal 6.x before E-Publish 6.x-1.0-beta1

Drupal core is not affected. If you do not use the contributed E-Publish module, there is nothing you need to do.

------------SOLUTION------------

Install the latest version:

* If you currently use E-Publish 5.x-1.0 upgrade to E-Publish 5.x-1.1 [ http://drupal.org/node/250414 ]

* If you currently use E-Publish 6.x-1.x-dev upgrade to E-Publish 6.x-1.0-beta1 [ http://drupal.org/node/250415 ]

See also the E-Publish project page [ http://drupal.org/project/epublish ].

------------REPORTED BY------------

Stéphane Corlosquet (scor [ http://drupal.org/user/52142 ]) of the Drupal security team.

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ].


Omhoog
 Profiel  
 
Berichten weergeven van de afgelopen:  Sorteer op  
Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 

Alle tijden zijn UTC + 1 uur


Wie is er online?

Gebruikers in dit forum: Geen geregistreerde gebruikers en 2 gasten


U mag geen nieuwe onderwerpen plaatsen in dit forum
U mag geen reacties plaatsen op onderwerpen in dit forum
U mag uw berichten niet wijzigen in dit forum
U mag uw berichten niet verwijderen in dit forum
U mag geen bijlagen plaatsen in dit forum

Zoeken naar:
Ga naar:  
cron
Powered by phpBB® Forum Software © phpBB Group
Vertaald door phpBBservice.nl.