Scoutnet vzw

We connect scouts!
Het is momenteel 19 Mrt 2024 6:23

Alle tijden zijn UTC + 1 uur




Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 
Auteur Bericht
BerichtGeplaatst: 10 Sep 2008 20:21 
Offline
Site Admin
Site Admin
Gebruikers-avatar

Geregistreerd: 17 Jul 2002 23:00
Berichten: 1522
Woonplaats: Wetteren
------------SA-2008-048-B - CCK - CROSS SITE SCRIPTING------------

* Advisory ID: DRUPAL-SA-2008-048-b
* Project: CCK (third-party module)
* Version: 5.x
* Date: 2008-Sep-04
* Security risk: Not critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting

------------UPDATE------------

This security announcement is an update of the SA-2008-048 announcement which advised to upgrade CCK for Drupal 5.x to 5.x-1.8. You should now upgrade CCK for Drupal 5.x to 5.x-1.9.

------------DESCRIPTION------------

The Content Construction Kit (CCK) allows certain privileged users to add custom fields to content types using a web browser.

Some of the settings (field label, help text, allowed values) entered on the fields settings forms are then displayed without appropriate filtering. Malicious users with the "administer content" permission are able to exploit this issue and insert arbitrary HTML and script code into pages. Such a cross site scripting attack (XSS) may lead to the malicious user gaining full administrative access.

This is only an issue if you need any role separation between administrators and users with the "administer content" permission.

------------VERSIONS AFFECTED------------

* CCK for Drupal 5.x prior to 5.x-1.9

Drupal core is not affected. The CCK RC releases for Drupal 6 are not affected. If you do not use the contributed CCK module on a Drupal 5 site, there is nothing you need to do.

------------SOLUTION------------

Install the latest version:

* CCK 5.x-1.8 [ http://drupal.org/node/303532 ] 5.x-1.8 had two critical [ http://drupal.org/node/304118 ] bugs [ http://drupal.org/node/304122 ]
* CCK 5.x-1.9 [ http://drupal.org/node/304193 ] hot fix release - includes security fix and these critical issue fixes.

See also the CCK project page [ http://drupal.org/project/cck ].

------------NOTE------------

If your theme uses field templates, you will need to manually change the function phptemplate_field (or possibly THEME_NAME_field) in your theme's template.php:
change:
'label' => t($field['widget']['label']),
to:
'label' => check_plain(t($field['widget']['label']))

------------REPORTED BY------------

* The cross site scripting issue was reported by Peter Wolanin [ http://drupal.org/user/49851 ] from the Drupal security team.

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ].


Omhoog
 Profiel  
 
Berichten weergeven van de afgelopen:  Sorteer op  
Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 

Alle tijden zijn UTC + 1 uur


Wie is er online?

Gebruikers in dit forum: Geen geregistreerde gebruikers en 1 gast


U mag geen nieuwe onderwerpen plaatsen in dit forum
U mag geen reacties plaatsen op onderwerpen in dit forum
U mag uw berichten niet wijzigen in dit forum
U mag uw berichten niet verwijderen in dit forum
U mag geen bijlagen plaatsen in dit forum

Zoeken naar:
Ga naar:  
cron
Powered by phpBB® Forum Software © phpBB Group
Vertaald door phpBBservice.nl.