Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-028 - Tag Order - Cross Site Scripting

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-028 - Tag Order - Cross Site Scripting


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-028 - Tag Order - Cross Site Scripting
  • Date: Wed, 17 Mar 2010 20:50:52 +0000 (UTC)
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
* Advisory ID: DRUPAL-SA-CONTRIB-2010-028
* Project: Tag Order (third-party module)
* Version: 5.x, 6.x
* Date: 2010-March-17
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting

-------- DESCRIPTION
---------------------------------------------------------

Tag Order module allows you to select vocabularies whose terms you would like
to preserve in the original order entered per node. Taxonomy vocabulary names
are not sanitized when being displayed on an administrative page, leading to
a cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a
malicious user gaining full administrative access. Mitigating factor: only
users with the 'administer taxonomy' permission can enter or edit vocabulary
names.
-------- VERSIONS AFFECTED
---------------------------------------------------

* Tag Order for Drupal 6.x prior to 6.x-1.4
* Tag Order for Drupal 5.x prior to 5.x-1.4

Drupal core is not affected. If you do not use the contributed Tag Order
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------

Upgrade to the latest version:
* If you use Tag Order for Drupal 6.x upgrade to Tag Order 6.x-1.4 [2]
* If you use Tag Order for Drupal 5.x upgrade to Tag Order 5.x-1.4 [3]

See also the Tag Order project page [4].
-------- REPORTED BY
---------------------------------------------------------

* Martin Barbella [5]

-------- FIXED BY
------------------------------------------------------------

* Martin Barbella [6]

-------- CONTACT
-------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/745338
[3] http://drupal.org/node/745346
[4] http://drupal.org/project/tagorder
[5] http://drupal.org/user/633600
[6] http://drupal.org/user/633600

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-028 - Tag Order - Cross Site Scripting, security-news, 17.03.2010

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang