Scoutnet vzw
http://forum.scoutnet.be/

[Drupal] Security announcements: CCK - Cross site scripting
http://forum.scoutnet.be/viewtopic.php?f=19&t=2171
Pagina 1 van 1

Auteur:  To [ 10 Sep 2008 20:21 ]
Titel:  [Drupal] Security announcements: CCK - Cross site scripting

------------SA-2008-048-B - CCK - CROSS SITE SCRIPTING------------

* Advisory ID: DRUPAL-SA-2008-048-b
* Project: CCK (third-party module)
* Version: 5.x
* Date: 2008-Sep-04
* Security risk: Not critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting

------------UPDATE------------

This security announcement is an update of the SA-2008-048 announcement which advised to upgrade CCK for Drupal 5.x to 5.x-1.8. You should now upgrade CCK for Drupal 5.x to 5.x-1.9.

------------DESCRIPTION------------

The Content Construction Kit (CCK) allows certain privileged users to add custom fields to content types using a web browser.

Some of the settings (field label, help text, allowed values) entered on the fields settings forms are then displayed without appropriate filtering. Malicious users with the "administer content" permission are able to exploit this issue and insert arbitrary HTML and script code into pages. Such a cross site scripting attack (XSS) may lead to the malicious user gaining full administrative access.

This is only an issue if you need any role separation between administrators and users with the "administer content" permission.

------------VERSIONS AFFECTED------------

* CCK for Drupal 5.x prior to 5.x-1.9

Drupal core is not affected. The CCK RC releases for Drupal 6 are not affected. If you do not use the contributed CCK module on a Drupal 5 site, there is nothing you need to do.

------------SOLUTION------------

Install the latest version:

* CCK 5.x-1.8 [ http://drupal.org/node/303532 ] 5.x-1.8 had two critical [ http://drupal.org/node/304118 ] bugs [ http://drupal.org/node/304122 ]
* CCK 5.x-1.9 [ http://drupal.org/node/304193 ] hot fix release - includes security fix and these critical issue fixes.

See also the CCK project page [ http://drupal.org/project/cck ].

------------NOTE------------

If your theme uses field templates, you will need to manually change the function phptemplate_field (or possibly THEME_NAME_field) in your theme's template.php:
change:
'label' => t($field['widget']['label']),
to:
'label' => check_plain(t($field['widget']['label']))

------------REPORTED BY------------

* The cross site scripting issue was reported by Peter Wolanin [ http://drupal.org/user/49851 ] from the Drupal security team.

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ].

Pagina 1 van 1 Alle tijden zijn UTC + 1 uur
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/