Scoutnet vzw
http://forum.scoutnet.be/

[Drupal] Security announcements: Email Verification
http://forum.scoutnet.be/viewtopic.php?f=19&t=2241
Pagina 1 van 1

Auteur:  jorisp [ 20 Mei 2009 21:42 ]
Titel:  [Drupal] Security announcements: Email Verification

* Advisory ID: DRUPAL-SA-CONTRIB-2009-030
* Project: Email Verification (third-party module)
* Version: 5.x, 6.x
* Date: 2009-May-20
* Security risk: High
* Exploitable from: Remote
* Vulnerability: Information disclosure, Cross Site Scripting

-------- DESCRIPTION
---------------------------------------------------------

The Email Verification module tries to verify user email addresses by talking to the appropriate SMTP host. It also allows the administrator to access a list of not confirmed email addresses. In the Drupal 5 version, this list is only protected by the "access content" permission, hence allowing a wide range of users to access these addresses. In the Drupal 6 version this list is properly protected. In both versions the username and email addresses are not properly escaped allowing Cross Site Scripting (XSS) attacks. To learn more about Cross Site Scripting read this article [1].
-------- VERSIONS AFFECTED
---------------------------------------------------

* Email Verification 5.x-1.x prior to 5.x-2.1
* Email Verification 6.x-1.x prior to 6.x-1.2

Drupal core is not affected. If you do not use the contributed Email Verification module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------

Install the latest version:
* If you use Email Verification 5.x-1.x upgrade to Email Verification
5.x-2.1 [2]
* If you use Email Verification 6.x-1.x upgrade to Email Verification
6.x-1.2 [3]
See also the Email Verification project page [4].
-------- REPORTED BY
---------------------------------------------------------

Gerhard Killesreiter (killes@www.drop.org) [5]
-------- FIXED BY
------------------------------------------------------------

Gerhard Killesreiter (killes@www.drop.org) [6] of the Drupal Security Team.
-------- CONTACT
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

[1] en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/468432
[3] http://drupal.org/node/468436
[4] http://drupal.org/project/email_verify
[5] http://drupal.org/user/227
[6] http://drupal.org/user/227

Pagina 1 van 1 Alle tijden zijn UTC + 1 uur
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/