Scoutnet vzw

We connect scouts!
Het is momenteel 10 Nov 2024 20:20

Alle tijden zijn UTC + 1 uur




Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 
Auteur Bericht
BerichtGeplaatst: 02 Jul 2008 23:58 
Offline
Site Admin
Site Admin
Gebruikers-avatar

Geregistreerd: 17 Jul 2002 23:00
Berichten: 1522
Woonplaats: Wetteren
------------SA-2008-041 - TAXONOMY AUTOTAGGER - MULTIPLE VULNERABILITIES------------

* Advisory ID: DRUPAL-SA-2008-041
* Project: Taxonomy autotagger (third-party module)
* Version: 5.x
* Date: 2008-July-2
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting and SQL injection

------------DESCRIPTION------------

The Taxonomy Autotagger will automatically tag a post with terms from a vocabulary if the terms are found in the content of the post.

The module does not properly use Drupal's database API and inserts values supplied by users directly into queries. This can be exploited by malicious users with the permission to create or edit posts to perform SQL Injection attacks [ http://en.wikipedia.org/wiki/Sql_injection ]. These attacks may lead to the malicious user gaining administrator access.

The module also displays certain values without appropriate filtering. Malicious users with the permission to create or edit posts are able to exploit this issue and insert arbitrary HTML and script code into pages. Such a cross site scripting attack [ http://en.wikipedia.org/wiki/Cross-site_scripting ] (XSS) may lead to a malicious user gaining administrator access.

------------VERSIONS AFFECTED------------

* Taxonomy Autotagger for Drupal 5.x prior to 5.x-1.8.

Drupal core is not affected. If you do not use the contributed Taxonomy Autotagger module, there is nothing you need to do.

------------SOLUTION------------

Install the latest version:

* Taxonomy Autotagger 5.x-1.8 [ http://drupal.org/node/277684 ].

See also the Taxonomy Autotagger project page [ http://drupal.org/project/autotag ].

------------REPORTED BY------------

* The SQL injection was reported by John Morahan [ http://drupal.org/user/58170 ].
* The cross site scripting issue was reported by Heine Deelstra [ http://drupal.org/user/17943 ] of the Drupal security team.

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ] and by selecting the security issues category.


Omhoog
 Profiel  
 
Berichten weergeven van de afgelopen:  Sorteer op  
Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 

Alle tijden zijn UTC + 1 uur


Wie is er online?

Gebruikers in dit forum: Geen geregistreerde gebruikers en 2 gasten


U mag geen nieuwe onderwerpen plaatsen in dit forum
U mag geen reacties plaatsen op onderwerpen in dit forum
U mag uw berichten niet wijzigen in dit forum
U mag uw berichten niet verwijderen in dit forum
U mag geen bijlagen plaatsen in dit forum

Zoeken naar:
Ga naar:  
cron
Powered by phpBB® Forum Software © phpBB Group
Vertaald door phpBBservice.nl.