Scoutnet vzw
http://forum.scoutnet.be/

[Drupal] Security announcements: OpenID - ++ vulnerabilities
http://forum.scoutnet.be/viewtopic.php?f=19&t=2153
Pagina 1 van 1

Auteur:  To [ 10 Jul 2008 19:27 ]
Titel:  [Drupal] Security announcements: OpenID - ++ vulnerabilities

------------SA-2008-045 - OPENID - MULTIPLE VULNERABILITIES------------

* Advisory ID: DRUPAL-SA-2008-045
* Project: OpenID (third-party module)
* Version: 5.x
* Date: 2008-July-9
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting, Cross site request forgeries

------------DESCRIPTION------------

The OpenID module for Drupal 5.x allows uses to create an account or log into a Drupal site using one or more OpenID identities. Find out more about OpenID at [ http://openid.net ].

Two vulnerabilities and weaknesses were discovered in the contributed OpenID module.

CROSS SITE SCRIPTING

Some information sent from the OpenID provider is not escaped before it is displayed.

Wikipedia has more information about cross site scripting [ http://en.wikipedia.org/wiki/Xss ] (XSS).

CROSS SITE REQUEST FORGERIES

The Drupal Forms API protects against Cross Site Request Forgeries (CSRF), where a malicious site can cause a user to unintentionally take actions on another site where they are authenticated. The OpenID module allowed OpenID identities to be deleted simply by clicking a link. Thus, a user could have all of their identities removed and no longer be able to log in with OpenID .

------------VERSIONS AFFECTED------------

* OpenID for Drupal 5.x before version 5x.-1.2

Drupal 5.x core is not affected. If you do not use the contributed OpenID module for Drupal 5.x, there is nothing you need to do.

------------SOLUTION------------

Install the latest version:

* If you currently use OpenID 5.x-1.0 or 5.x-1.1 upgrade to OpenID 5.x-1.2 [ http://drupal.org/node/280593 ]

See also the OpenID project page [ http://drupal.org/project/openid ].

------------REPORTED BY------------

* Neil Drumm (drumm [ http://drupal.org/user/3064 ]) of the Drupal Security Team
* Peter Wolanin (pwolanin [ http://drupal.org/user/49851 ]) of the Drupal Security Team

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ].

Pagina 1 van 1 Alle tijden zijn UTC + 1 uur
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/