Scoutnet vzw :: Bekijk onderwerp - [Drupal] Security announcements: Site Documentation

Scoutnet vzw http://forum.scoutnet.be/

[Drupal] Security announcements: Site Documentation - PE http://forum.scoutnet.be/viewtopic.php?f=19&t=2122	Pagina 1 van 1

Auteur:	To [ 14 Mei 2008 21:38 ]
Titel:	[Drupal] Security announcements: Site Documentation - PE
------------SA-2008-030 - SITE DOCUMENTATION - PRIVILEGE ESCALATION------------ * Advisory ID: DRUPAL-SA-2008-030 * Project: Site Documentation (third-party module) * Versions: 5.x and 6.x * Date: 2008-May-14 * Security risk: Highly critical * Exploitable from: Remote * Vulnerability: Privilege escalation ------------DESCRIPTION------------ The contributed module Site Documentation intends to assist developers and administrators when they start working with a new site by showing them information from the database. All users with the "access content" permission are able to use the module to list arbitrary tables from the database. In typical scenarios, both anonymous and authenticated users have the "access content" permission. Access to arbitrary tables enables an attacker to impersonate users by using SESSION IDs obtained from the database. An attacker could use specifically crafted URLs to gain access to additional private information, including, but not limited to, all usernames, password hashes, and e-mail addresses. ------------VERSIONS AFFECTED------------ * Site Documentation for Drupal 5.x before Site Documentation 5.x-1.8 * Site Documentation for Drupal 6.x before Site Documentation 6.x-1.1 Drupal core is not affected. If you do not use the contributed Site Documentation module, there is nothing you need to do. ------------SOLUTION------------ Install the latest version: * If you currently use Site Documentation 5.x-1.x upgrade to Site Documentation 5.x-1.8 [ http://drupal.org/node/258548 ] * If you currently use Site Documentation 6.x-1.0 upgrade to Site Documentation 6.x-1.1 [ http://drupal.org/node/258549 ] See also the Site Documentation project page [ http://drupal.org/project/sitedoc ]. ------------REPORTED BY------------ The Site Documentation module maintainer Nancy Wichmann [ http://drupal.org/user/101412 ] in collaboration with the Drupal security team. ------------CONTACT------------ The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ].

Pagina 1 van 1	Alle tijden zijn UTC + 1 uur
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/