Scoutnet vzw

We connect scouts!
Het is momenteel 19 Mrt 2024 9:57

Alle tijden zijn UTC + 1 uur




Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 
Auteur Bericht
BerichtGeplaatst: 20 Mei 2009 21:42 
Offline
Site Admin
Site Admin

Geregistreerd: 30 Sep 2002 23:00
Berichten: 1806
* Advisory ID: DRUPAL-SA-CONTRIB-2009-030
* Project: Email Verification (third-party module)
* Version: 5.x, 6.x
* Date: 2009-May-20
* Security risk: High
* Exploitable from: Remote
* Vulnerability: Information disclosure, Cross Site Scripting

-------- DESCRIPTION
---------------------------------------------------------

The Email Verification module tries to verify user email addresses by talking to the appropriate SMTP host. It also allows the administrator to access a list of not confirmed email addresses. In the Drupal 5 version, this list is only protected by the "access content" permission, hence allowing a wide range of users to access these addresses. In the Drupal 6 version this list is properly protected. In both versions the username and email addresses are not properly escaped allowing Cross Site Scripting (XSS) attacks. To learn more about Cross Site Scripting read this article [1].
-------- VERSIONS AFFECTED
---------------------------------------------------

* Email Verification 5.x-1.x prior to 5.x-2.1
* Email Verification 6.x-1.x prior to 6.x-1.2

Drupal core is not affected. If you do not use the contributed Email Verification module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------

Install the latest version:
* If you use Email Verification 5.x-1.x upgrade to Email Verification
5.x-2.1 [2]
* If you use Email Verification 6.x-1.x upgrade to Email Verification
6.x-1.2 [3]
See also the Email Verification project page [4].
-------- REPORTED BY
---------------------------------------------------------

Gerhard Killesreiter (killes@www.drop.org) [5]
-------- FIXED BY
------------------------------------------------------------

Gerhard Killesreiter (killes@www.drop.org) [6] of the Drupal Security Team.
-------- CONTACT
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

[1] en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/468432
[3] http://drupal.org/node/468436
[4] http://drupal.org/project/email_verify
[5] http://drupal.org/user/227
[6] http://drupal.org/user/227


Omhoog
 Profiel  
 
Berichten weergeven van de afgelopen:  Sorteer op  
Plaats een nieuw onderwerp Reageren op dit onderwerp  [ 1 bericht ] 

Alle tijden zijn UTC + 1 uur


Wie is er online?

Gebruikers in dit forum: Geen geregistreerde gebruikers en 1 gast


U mag geen nieuwe onderwerpen plaatsen in dit forum
U mag geen reacties plaatsen op onderwerpen in dit forum
U mag uw berichten niet wijzigen in dit forum
U mag uw berichten niet verwijderen in dit forum
U mag geen bijlagen plaatsen in dit forum

Zoeken naar:
Ga naar:  
cron
Powered by phpBB® Forum Software © phpBB Group
Vertaald door phpBBservice.nl.