[Imc-drupal-dev] [Fwd: [Security announcements] XSS vulnerability in project module]
bruno at indymedia.be
bruno at indymedia.be
Mon May 8 02:19:58 PDT 2006
for those of us who use the project.module ..
-- bruno
-------- Original Message --------
Subject: [Security announcements] XSS vulnerability in project module
Date: Mon, 8 May 2006 09:15:22 +0000 (UTC)
From: Drupal Security Team <security at drupal.org>
Reply-To: security at drupal.org
To: bruno at indymedia.be
------------XSS VULNERABILITY IN PROJECT MODULE------------
* Project: project module (contributed module)
* Security risk: less critical
* Impact: project module
* Where: from remote
* Vulnerability: malicious HTML execution and XSS attacks
------------DESCRIPTION------------
The project.module was missing some input validation which can lead to XSS
attacks. When submitting an issue, users could enter malicious HTML that could
lead to session hijacking.
------------VERSIONS AFFECTED------------
Please check the CVS $Id$ fields in the following files to determine whether
the version of the project module you are running is vulnerable. All versions
older than the following are vulnerable:
4.6 branch:
comment.inc: /* $Id: comment.inc,v 1.42.2.4 2006/04/22 21:20:16 dww Exp $ */
issue.inc: /* $Id: issue.inc,v 1.102.2.10 2006/04/22 21:20:40 dww Exp $ */
mail.inc: /* $Id: mail.inc,v 1.47.2.3 2006/04/22 21:20:40 dww Exp $ */
release.inc: /* $Id: release.inc,v 1.52.2.3 2006/04/22 21:20:16 dww Exp $ */
CVS HEAD:
comment.inc: /* $Id: comment.inc,v 1.63 2006/04/22 21:09:40 dww Exp $ */
issue.inc: /* $Id: issue.inc,v 1.167 2006/04/22 21:14:57 dww Exp $ */
mail.inc: /* $Id: mail.inc,v 1.60 2006/04/22 21:14:57 dww Exp $ */
release.inc: /* $Id: release.inc,v 1.70 2006/04/22 21:09:40 dww Exp $ */
------------SOLUTION------------
Drupal core is not affected. If you do not use the project module there is
nothing you need to do. If you do use project, upgrade to the latest version of
the project module for your Drupal version.
Note: a fix for the Drupal 4.5 version of the project module is not available
at this time.
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or
using the form at [http://drupal.org/contact]. More information is available
from [http://drupal.org/security] or from our security RSS feed
[http://drupal.org/security/rss.xml].
--
Unsubscribe from this newsletter: http://drupal.org/newsletter/confirm/remove/f150ec7d6e196t44
--
"Open information is mind power."
indymedia.be <http://www.indymedia.be> _ GetBasic
<http://www.getbasic.be> _ fluxx.be <http://www.fluxx.be>
PGP public key: keys.indymedia.org <http://keys.indymedia.org> _ id:
D48B28E2
--
More information about the Imc-drupal-dev
mailing list