Scoutnet vzw

We connect scouts!
Het is momenteel 19 Mrt 2024 9:05

Alle tijden zijn UTC + 1 uur




Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 
Auteur Bericht
BerichtGeplaatst: 10 Jul 2008 18:56 
Offline
Site Admin
Site Admin
Gebruikers-avatar

Geregistreerd: 17 Jul 2002 23:00
Berichten: 1522
Woonplaats: Wetteren
------------SA-2008-044 - DRUPAL CORE - MULTIPLE VULNERABILITIES------------

* Advisory ID: DRUPAL-SA-2008-044
* Project: Drupal core
* Version: 5x, 6.x
* Date: 2008-July-9
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Multiple vulnerabilities

------------DESCRIPTION------------

Multiple vulnerabities and weaknesses were discovered in Drupal. Neither of
these are readily exploitable.

CROSS SITE SCRIPTING

Free tagging taxonomy terms can be used to insert arbitrary script and HTML code (cross site scripting [ http://en.wikipedia.org/wiki/Cross-site_scripting ] or XSS) on node preview pages. A successful exploit requires that the victim selects a term containing script code and chooses to preview the node. This issue affects Drupal 6.x only.

Some values from OpenID [ http://openid.net/what/ ] providers are output without being properly escaped, allowing malicious providers to insert arbitrary script and HTML code (XSS) into user pages. This issue affects Drupal 6.x only.

filter_xss_admin() has been hardened to prevent use of the object HTML tag in administrator input.

CROSS SITE REQUEST FORGERIES

Translated strings (5.x, 6.x) and OpenID identities (6.x) are immediately deleted upon accessing a properly formatted URL, making such deletion vulnerable to cross site request forgeries [ http://en.wikipedia.org/wiki/Cross-site_request_forgery ] (CSRF). This may lead to unintended deletion of translated strings or OpenID identities when a sufficiently privileged user visits a page or site created by a malicious person.

SESSION FIXATION

When contributed modules such as Workflow NG terminate the current request during a login event, user module is not able to regenerate the user's session. This may lead to a session fixation attack [ http://en.wikipedia.org/wiki/Session_fixation ], when a malicious user is able to control another users' initial session ID. As the session is not regenerated, the malicious user may use the 'fixed' session ID after the victim authenticates and will have the same access. This issue affects both Drupal 5 and Drupal 6.

SQL INJECTION

Schema API uses an inappropriate placeholder for 'numeric' fields enabling SQL injection [ http://en.wikipedia.org/wiki/SQL_injection ] when user-supplied data is used for such fields.This issue affects Drupal 6 only.

------------VERSIONS AFFECTED------------

* Drupal 5.x before version 5.8
* Drupal 6.x before version 6.3

------------SOLUTION------------

Install the latest version:

* If you are running Drupal 5.x then upgrade to Drupal 5.8 [ http://ftp.drupal.org/files/projects/drupal-5.8.tar.gz ].
* If you are running Drupal 6.x then upgrade to Drupal 6.3 [ http://ftp.drupal.org/files/projects/drupal-6.3.tar.gz ]. If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.
* To patch Drupal 5.7 use SA-2008-044-5.7.patch [ http://drupal.org/files/sa-2008-044/SA- ... -5.7.patch ].
* To patch Drupal 6.2 use SA-2008-044-6.2.patch [ http://drupal.org/files/sa-2008-044/SA- ... -6.2.patch ].

------------NOTE FOR SITE ADMINISTRATORS------------

Drupal 5.8 and 6.3 no longer support the use of the object HTML tag in many text supplied by administrators. Such texts include the mission statement and taxonomy term descriptions.

------------NOTES FOR DEVELOPERS------------

Drupal 6.3 has the new db_query placeholder %n for numeric fields (DECIMAL, NUMERIC). Custom queries should be updated to reflect this change.

------------REPORTED BY------------

* The session fixation issue was reported by Erich C. Beyrent.
* The Taxonomy term XSS issue was reported by John Morahan [ http://drupal.org/user/58170 ].
* The OpenID CSRF issue was reported by Peter Wolanin [ http://drupal.org/user/49851 ] (Drupal security team).
* The OpenID XSS issue was reported by Neil Drumm [ http://drupal.org/user/3064 ] (Drupal security team).
* The locale CSRF issue and the numeric SQL injection issue were reported by Heine Deelstra [ http://drupal.org/user/17943 ] (Drupal security team).

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ].


Omhoog
 Profiel  
 
Berichten weergeven van de afgelopen:  Sorteer op  
Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 

Alle tijden zijn UTC + 1 uur


Wie is er online?

Gebruikers in dit forum: Geen geregistreerde gebruikers en 4 gasten


U mag geen nieuwe onderwerpen plaatsen in dit forum
U mag geen reacties plaatsen op onderwerpen in dit forum
U mag uw berichten niet wijzigen in dit forum
U mag uw berichten niet verwijderen in dit forum
U mag geen bijlagen plaatsen in dit forum

Zoeken naar:
Ga naar:  
cron
Powered by phpBB® Forum Software © phpBB Group
Vertaald door phpBBservice.nl.