Scoutnet vzw

We connect scouts!
Het is momenteel 19 Mrt 2024 10:49

Alle tijden zijn UTC + 1 uur




Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 
Auteur Bericht
BerichtGeplaatst: 10 Jul 2008 19:27 
Offline
Site Admin
Site Admin
Gebruikers-avatar

Geregistreerd: 17 Jul 2002 23:00
Berichten: 1522
Woonplaats: Wetteren
------------SA-2008-045 - OPENID - MULTIPLE VULNERABILITIES------------

* Advisory ID: DRUPAL-SA-2008-045
* Project: OpenID (third-party module)
* Version: 5.x
* Date: 2008-July-9
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting, Cross site request forgeries

------------DESCRIPTION------------

The OpenID module for Drupal 5.x allows uses to create an account or log into a Drupal site using one or more OpenID identities. Find out more about OpenID at [ http://openid.net ].

Two vulnerabilities and weaknesses were discovered in the contributed OpenID module.

CROSS SITE SCRIPTING

Some information sent from the OpenID provider is not escaped before it is displayed.

Wikipedia has more information about cross site scripting [ http://en.wikipedia.org/wiki/Xss ] (XSS).

CROSS SITE REQUEST FORGERIES

The Drupal Forms API protects against Cross Site Request Forgeries (CSRF), where a malicious site can cause a user to unintentionally take actions on another site where they are authenticated. The OpenID module allowed OpenID identities to be deleted simply by clicking a link. Thus, a user could have all of their identities removed and no longer be able to log in with OpenID .

------------VERSIONS AFFECTED------------

* OpenID for Drupal 5.x before version 5x.-1.2

Drupal 5.x core is not affected. If you do not use the contributed OpenID module for Drupal 5.x, there is nothing you need to do.

------------SOLUTION------------

Install the latest version:

* If you currently use OpenID 5.x-1.0 or 5.x-1.1 upgrade to OpenID 5.x-1.2 [ http://drupal.org/node/280593 ]

See also the OpenID project page [ http://drupal.org/project/openid ].

------------REPORTED BY------------

* Neil Drumm (drumm [ http://drupal.org/user/3064 ]) of the Drupal Security Team
* Peter Wolanin (pwolanin [ http://drupal.org/user/49851 ]) of the Drupal Security Team

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ].


Omhoog
 Profiel  
 
Berichten weergeven van de afgelopen:  Sorteer op  
Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 

Alle tijden zijn UTC + 1 uur


Wie is er online?

Gebruikers in dit forum: Geen geregistreerde gebruikers en 1 gast


U mag geen nieuwe onderwerpen plaatsen in dit forum
U mag geen reacties plaatsen op onderwerpen in dit forum
U mag uw berichten niet wijzigen in dit forum
U mag uw berichten niet verwijderen in dit forum
U mag geen bijlagen plaatsen in dit forum

Zoeken naar:
Ga naar:  
cron
Powered by phpBB® Forum Software © phpBB Group
Vertaald door phpBBservice.nl.