Scoutnet vzw
http://forum.scoutnet.be/

[Drupal] E-PUBLISH - CROSS SITE SCRIPTING
http://forum.scoutnet.be/viewtopic.php?f=19&t=2113
Pagina 1 van 1

Auteur:  jorisp [ 24 Apr 2008 12:16 ]
Titel:  [Drupal] E-PUBLISH - CROSS SITE SCRIPTING

------------SA-2008-029 - E-PUBLISH - CROSS SITE SCRIPTING AND CROSS SITE REQUEST FORGERIES------------

* Advisory ID: DRUPAL-SA-2008-029

* Project: E-Publish (third-party module)

* Versions: 5.x and 6.x

* Date: 2008-April-23

* Security risk: Less critical

* Exploitable from: Remote

* Vulnerability: Cross site scripting and Cross site request forgeries

------------DESCRIPTION------------

The contributed module E-Publish helps organize a group of nodes into a publication, such as a newspaper, magazine or newsletter.

The Drupal Forms API protects against Cross Site Request Forgeries (CSRF) [ http://en.wikipedia.org/wiki/CSRF ], where a malicious site can cause a user to unintentionally take actions on another site where they are authenticated. Several forms do not follow the standard Forms API submission model and are therefore not protected against this type of attack. A CSRF attack may result in a topic, section, edition, volume or publication being deleted. This was fixed in E-Publish 5.x-1.0.

Moreover, several values are displayed without being escaped, which enables users to inject arbitrary HTML and script code on pages (Cross Site Scripting [ http://en.wikipedia.org/wiki/Xss ]). This may lead to administrator access.

------------VERSIONS AFFECTED------------

* E-Publish for Drupal 5.x before E-Publish 5.x-1.1

* E-Publish for Drupal 6.x before E-Publish 6.x-1.0-beta1

Drupal core is not affected. If you do not use the contributed E-Publish module, there is nothing you need to do.

------------SOLUTION------------

Install the latest version:

* If you currently use E-Publish 5.x-1.0 upgrade to E-Publish 5.x-1.1 [ http://drupal.org/node/250414 ]

* If you currently use E-Publish 6.x-1.x-dev upgrade to E-Publish 6.x-1.0-beta1 [ http://drupal.org/node/250415 ]

See also the E-Publish project page [ http://drupal.org/project/epublish ].

------------REPORTED BY------------

Stéphane Corlosquet (scor [ http://drupal.org/user/52142 ]) of the Drupal security team.

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ].

Pagina 1 van 1 Alle tijden zijn UTC + 1 uur
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/