Уязвимость в ядре

Главные вкладки

Аватар пользователя dyp@drupal.org dyp@drupal.org 19 октября 2006 в 1:26

------------DRUPAL CORE - MULTIPLE CROSS SITE SCRIPTING
VULNERABILITIES------------

* Advisory ID: DRUPAL-SA-2006-024

* Project: Drupal core

* Date: 2006-Oct-18

* Security risk: Moderately critical

* Exploitable from: Remote

* Vulnerability: Cross site scripting

------------DESCRIPTION------------

Multiple XSS (cross site scripting) vulnerabilities have been discovered.

A bug in input validation and lack of output validation allows HTML and script
insertion on several pages.

Drupal's XML parser passes unescaped data to watchdog under certain
circumstances. A malicious user may execute an XSS attack via a specially
crafted RSS feed. This vulnerability exists on systems that do not use PHP's
mb_string extension (to check if mb_string is being used, navigate to
admin/settings and look under "String handling"). Disabling the aggregator
module provides an immediate workaround.

The aggregator module, profile module, and forum module do not properly escape
output of certain fields.

Note: XSS attacks may lead to administrator access if certain conditions are
met. Learn more about XSS on Wikipedia
[http://en.wikipedia.org/wiki/Cross_site_scripting].

------------VERSIONS AFFECTED------------

* Drupal 4.6.x versions before Drupal 4.6.10

* Drupal 4.7.x versions before Drupal 4.7.4

------------SOLUTION------------

* If you are running Drupal 4.6.x then upgrade to Drupal 4.6.10
[http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz].

* If you are running Drupal 4.7.x then upgrade to Drupal 4.7.4
[http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz].

* To patch Drupal 4.6.9 use http://drupal.org/files/sa-2006-024/4.6.9.patch
[http://drupal.org//files/sa-2006-024/4.6.9.patch].

* To patch Drupal 4.7.3 use http://drupal.org/files/sa-2006-024/4.7.3.patch
[http://drupal.org//files/sa-2006-024/4.7.3.patch].

Please note that the patches only contain changes related to this advisory, and
do not fix bugs that were solved in 4.6.10 or 4.7.4.

Комментарии

Аватар пользователя dyp@drupal.org dyp@drupal.org 19 октября 2006 в 2:04

------------DRUPAL CORE - CROSS SITE REQUEST FORGERIES------------

* Advisory ID: DRUPAL-SA-2006-025

* Project: Drupal core

* Date: 2006-Oct-18

* Security risk: Highly critical

* Exploitable from: Remote

* Vulnerability: Cross site request forgeries

------------DESCRIPTION------------

Visiting a specially crafted page, anywhere on the web, may allow that page to
post forms to a Drupal site in the context of the visitor's session. To
illustrate; suppose one has an active user 1 session, the most powerful
administrator account for a site, to a Drupal site while visiting a website
created by an attacker. This website will now be able to submit any form to the
Drupal site with the privileges of user 1, either by enticing the user to submit
a form or by automated means.

An attacker can exploit this vulnerability by changing passwords, posting PHP
code or creating new users, for example. The attack is only limited by the
privileges of the session it executes in.

------------VERSIONS AFFECTED------------

* Drupal 4.6.x versions before Drupal 4.6.10

* Drupal 4.7.x versions before Drupal 4.7.4

------------SOLUTION------------

* If you are running Drupal 4.6.x then upgrade to Drupal 4.6.10
[http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz].

* If you are running Drupal 4.7.x then upgrade to Drupal 4.7.4
[http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz].

* To patch Drupal 4.6.9 use http://drupal.org/files/sa-2006-025/4.6.9.patch
[http://drupal.org//files/sa-2006-025/4.6.9.patch].

* To patch Drupal 4.7.3 use http://drupal.org/files/sa-2006-025/4.7.3.patch
[http://drupal.org//files/sa-2006-025/4.7.3.patch].

Please note that the patches only contain changes related to this advisory, and
do not fix bugs that were solved in 4.6.10 or 4.7.4.

------------IMPORTANT NOTE FOR DRUPAL 4.6.10------------

Any custom forms that do not use the proper form API functions, such as raw
HTML forms, will break for authenticated users and need to be updated. The
easiest way to do so is to add the output of form_token() before the closing
form tag. For phptemplate themes, add the following code before the closing form
tag:

We advise you test modules and themes in use before committing to an upgrade.

------------IMPORTANT NOTE FOR DRUPAL 4.7.4------------

Drupal 4.7.4 adds a new form field to all forms. Contributed modules and themes
that assume only specific, known form fields to be present, may break on Drupal
4.7.4.

We advise you test modules and themes in use before committing to an upgrade.

Аватар пользователя Natalie Natalie 19 октября 2006 в 2:07

Странно, на официальном сайте еще не объявили о 4.7.4
---
---
All content management systems suck, Drupal just happens to suck less. -- Boris Mann at DrupalCON Amsterdam, August 2005.

Аватар пользователя dyp@drupal.org dyp@drupal.org 19 октября 2006 в 2:24

------------DRUPAL CORE - FORM ACTION ATTRIBUTE INJECTION------------

* Advisory ID: DRUPAL-SA-2006-026

* Project: Drupal core

* Date: 2006-Oct-18

* Security risk: Less critical

* Exploitable from: Remote

* Vulnerability: HTML attribute injection

------------DESCRIPTION------------

A malicious user may entice users to visit a specially crafted URL that may
result in the redirection of Drupal form submission to a third-party site. A
user visiting the user registration page via such a url, for example, will
submit all data, such as his/her e-mail address, but also possible private
profile data, to a third-party site.

------------VERSIONS AFFECTED------------

* Drupal 4.6.x versions before Drupal 4.6.10

* Drupal 4.7.x versions before Drupal 4.7.4

------------SOLUTION------------

* If you are running Drupal 4.6.x then upgrade to Drupal 4.6.10
[http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz].

* If you are running Drupal 4.7.x then upgrade to Drupal 4.7.4
[http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz].

* To patch Drupal 4.6.9 use http://drupal.org/files/sa-2006-026/4.6.9.patch
[http://drupal.org//files/sa-2006-026/4.6.9.patch].

* To patch Drupal 4.7.3 use http://drupal.org/files/sa-2006-026/4.7.3.patch
[http://drupal.org//files/sa-2006-026/4.7.3.patch].

Please note that the patches only contain changes related to this advisory, and
do not fix bugs that were solved in 4.6.10 or 4.7.4.