Scoutnet vzw

We connect scouts!
Het is momenteel 19 Mrt 2024 8:02

Alle tijden zijn UTC + 1 uur




Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 
Auteur Bericht
BerichtGeplaatst: 14 Mei 2008 21:38 
Offline
Site Admin
Site Admin
Gebruikers-avatar

Geregistreerd: 17 Jul 2002 23:00
Berichten: 1522
Woonplaats: Wetteren
------------SA-2008-030 - SITE DOCUMENTATION - PRIVILEGE ESCALATION------------

* Advisory ID: DRUPAL-SA-2008-030
* Project: Site Documentation (third-party module)
* Versions: 5.x and 6.x
* Date: 2008-May-14
* Security risk: Highly critical
* Exploitable from: Remote
* Vulnerability: Privilege escalation

------------DESCRIPTION------------

The contributed module Site Documentation intends to assist developers and administrators when they start working with a new site by showing them information from the database.

All users with the "access content" permission are able to use the module to list arbitrary tables from the database. In typical scenarios, both anonymous and authenticated users have the "access content" permission.

Access to arbitrary tables enables an attacker to impersonate users by using SESSION IDs obtained from the database. An attacker could use specifically crafted URLs to gain access to additional private information, including, but not limited to, all usernames, password hashes, and e-mail addresses.

------------VERSIONS AFFECTED------------

* Site Documentation for Drupal 5.x before Site Documentation 5.x-1.8
* Site Documentation for Drupal 6.x before Site Documentation 6.x-1.1

Drupal core is not affected. If you do not use the contributed Site Documentation module, there is nothing you need to do.

------------SOLUTION------------

Install the latest version:

* If you currently use Site Documentation 5.x-1.x upgrade to Site Documentation 5.x-1.8 [ http://drupal.org/node/258548 ]
* If you currently use Site Documentation 6.x-1.0 upgrade to Site Documentation 6.x-1.1 [ http://drupal.org/node/258549 ]

See also the Site Documentation project page [ http://drupal.org/project/sitedoc ].

------------REPORTED BY------------

The Site Documentation module maintainer Nancy Wichmann [ http://drupal.org/user/101412 ] in collaboration with the Drupal security team.

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ].


Omhoog
 Profiel  
 
Berichten weergeven van de afgelopen:  Sorteer op  
Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 

Alle tijden zijn UTC + 1 uur


Wie is er online?

Gebruikers in dit forum: Geen geregistreerde gebruikers en 4 gasten


U mag geen nieuwe onderwerpen plaatsen in dit forum
U mag geen reacties plaatsen op onderwerpen in dit forum
U mag uw berichten niet wijzigen in dit forum
U mag uw berichten niet verwijderen in dit forum
U mag geen bijlagen plaatsen in dit forum

Zoeken naar:
Ga naar:  
cron
Powered by phpBB® Forum Software © phpBB Group
Vertaald door phpBBservice.nl.