Scoutnet vzw

We connect scouts!
Het is momenteel 30 Jan 2023 10:05

Alle tijden zijn UTC + 1 uur

Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 
Auteur Bericht
BerichtGeplaatst: 10 Sep 2008 20:21 
Site Admin
Site Admin

Geregistreerd: 17 Jul 2002 23:00
Berichten: 1522
Woonplaats: Wetteren
------------SA-2008-048-B - CCK - CROSS SITE SCRIPTING------------

* Advisory ID: DRUPAL-SA-2008-048-b
* Project: CCK (third-party module)
* Version: 5.x
* Date: 2008-Sep-04
* Security risk: Not critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting


This security announcement is an update of the SA-2008-048 announcement which advised to upgrade CCK for Drupal 5.x to 5.x-1.8. You should now upgrade CCK for Drupal 5.x to 5.x-1.9.


The Content Construction Kit (CCK) allows certain privileged users to add custom fields to content types using a web browser.

Some of the settings (field label, help text, allowed values) entered on the fields settings forms are then displayed without appropriate filtering. Malicious users with the "administer content" permission are able to exploit this issue and insert arbitrary HTML and script code into pages. Such a cross site scripting attack (XSS) may lead to the malicious user gaining full administrative access.

This is only an issue if you need any role separation between administrators and users with the "administer content" permission.

------------VERSIONS AFFECTED------------

* CCK for Drupal 5.x prior to 5.x-1.9

Drupal core is not affected. The CCK RC releases for Drupal 6 are not affected. If you do not use the contributed CCK module on a Drupal 5 site, there is nothing you need to do.


Install the latest version:

* CCK 5.x-1.8 [ ] 5.x-1.8 had two critical [ ] bugs [ ]
* CCK 5.x-1.9 [ ] hot fix release - includes security fix and these critical issue fixes.

See also the CCK project page [ ].


If your theme uses field templates, you will need to manually change the function phptemplate_field (or possibly THEME_NAME_field) in your theme's template.php:
'label' => t($field['widget']['label']),
'label' => check_plain(t($field['widget']['label']))

------------REPORTED BY------------

* The cross site scripting issue was reported by Peter Wolanin [ ] from the Drupal security team.


The security contact for Drupal can be reached at security at or via the form at [ ].

Berichten weergeven van de afgelopen:  Sorteer op  
Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 

Alle tijden zijn UTC + 1 uur

Wie is er online?

Gebruikers in dit forum: Geen geregistreerde gebruikers en 1 gast

U mag geen nieuwe onderwerpen plaatsen in dit forum
U mag geen reacties plaatsen op onderwerpen in dit forum
U mag uw berichten niet wijzigen in dit forum
U mag uw berichten niet verwijderen in dit forum
U mag geen bijlagen plaatsen in dit forum

Zoeken naar:
Ga naar:  
Powered by phpBB® Forum Software © phpBB Group
Vertaald door