Scoutnet vzw

We connect scouts!
Het is momenteel 10 Nov 2024 20:20

Alle tijden zijn UTC + 1 uur




Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 
Auteur Bericht
BerichtGeplaatst: 12 Jun 2008 1:10 
Offline
Site Admin
Site Admin
Gebruikers-avatar

Geregistreerd: 17 Jul 2002 23:00
Berichten: 1522
Woonplaats: Wetteren
------------SA-2008-035 - AGGREGATION - MULTIPLE VULNERABILITIES------------

* Advisory ID: SA-2008-035
* Project: Aggregation (third-party module)
* Versions: 5.x
* Date: 2008-June-11
* Security risk: Highly critical
* Exploitable from: Remote
* Vulnerability: Multiple vulnerabilities

------------DESCRIPTION------------

The Aggregation module syndicates content from external feeds saving them as nodes. A significant amount of vulnerabilities were discovered in the module:

Cross site scripting - Numerous values are displayed without being properly escaped or filtered, which enables users to inject arbitrary HTML and script code on pages.

SQL Injection - Numerous values are used in SQL strings without being properly sanitized.

Arbitrary code execution - Maliciously constructed feeds can result in the upload of files with arbitrary extensions to the server. Whether this may lead to arbitrary code execution, depends on the exact server configuration.

Access bypass - Incorrect implementation of the access control results in access bypass when node access modules (taxonomy access control, acl) are used.

------------VERSIONS AFFECTED------------

* Aggregation for Drupal 5.x prior to Aggregation 5.x-4.4

Drupal core is not affected. If you do not use the contributed Aggregation module, there is nothing you need to do.

------------SOLUTION------------

Install the latest version:

* If you currently use Aggregation 5.x, upgrade to Aggregation 5.x-4.4 [ http://drupal.org/node/269184 ]

See also the Aggregation project page [ http://drupal.org/project/aggregation ].

------------REPORTED BY------------

The cross site scripting issue was publicly reported by fonan [ http://drupal.org/user/96515 ].
The other issues were identified by Adam Light (aclight [ http://drupal.org/user/86358 ]) and Heine Deelstra (Heine [ http://drupal.org/user/17943 ]) of the Drupal security team.

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.


Omhoog
 Profiel  
 
Berichten weergeven van de afgelopen:  Sorteer op  
Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 

Alle tijden zijn UTC + 1 uur


Wie is er online?

Gebruikers in dit forum: Geen geregistreerde gebruikers en 2 gasten


U mag geen nieuwe onderwerpen plaatsen in dit forum
U mag geen reacties plaatsen op onderwerpen in dit forum
U mag uw berichten niet wijzigen in dit forum
U mag uw berichten niet verwijderen in dit forum
U mag geen bijlagen plaatsen in dit forum

Zoeken naar:
Ga naar:  
cron
Powered by phpBB® Forum Software © phpBB Group
Vertaald door phpBBservice.nl.