Scoutnet vzw
http://forum.scoutnet.be/

[Drupal] Security announcements: Magic Tabs - Arbitrary XSS
http://forum.scoutnet.be/viewtopic.php?f=19&t=2133
Pagina 1 van 1

Auteur:  To [ 11 Jun 2008 18:29 ]
Titel:  [Drupal] Security announcements: Magic Tabs - Arbitrary XSS

------------SA-2008-032 - MAGIC TABS - ARBITRARY CODE EXECUTION------------

* Advisory ID: SA-2008-032
* Project: Magic Tabs (third-party module)
* Versions: 5.x
* Date: 2008-June-11
* Security risk: Highly critical
* Exploitable from: Remote
* Vulnerability: Arbitrary code execution

------------DESCRIPTION------------

Magic Tabs provides an implementation of tabs filled via AJAX requests.

Malicious users are able to run arbitrary PHP code via URL arguments to Magic Tabs as it does not provide a whitelist of callbacks.

------------VERSIONS AFFECTED------------

* Magic Tabs for Drupal 5.x prior to Magic Tabs 5.x-1.1

Drupal core is not affected. If you do not use the contributed Magic Tabs module, there is nothing you need to do.

------------SOLUTION------------

Install the latest version:

* If you currently use Magic Tabs 5.x, upgrade to Magic Tabs 5.x-1.1 [ http://drupal.org/node/269324 ]

See also the Magic Tabs project page [ http://drupal.org/project/magic_tabs ].

------------REPORTED BY------------

The Magic Tabs maintainer Yuval Hager (yhager [ http://drupal.org/user/71425 ]).

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Pagina 1 van 1 Alle tijden zijn UTC + 1 uur
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/