Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-033 - Taxonomy Filter - Cross Site Scripting (XSS)

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-033 - Taxonomy Filter - Cross Site Scripting (XSS)


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-033 - Taxonomy Filter - Cross Site Scripting (XSS)
  • Date: Wed, 31 Mar 2010 20:28:19 +0000 (UTC)
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
* Advisory ID: DRUPAL-SA-CONTRIB-2010-033
* Project: Taxonomy Filter (third-party module)
* Version: 6.x
* Date: 2010-March-31
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting

-------- DESCRIPTION
---------------------------------------------------------

The Taxonomy Filter module enables users to filter node listings by multiple
taxonomy terms across multiple vocabularies. Vocabulary names, terms, and
filter menus are not sanitized, creating a Cross Site Scripting (XSS)
vulnerability. Exploiting this vulnerability would allow a malicious user to
gain full administrative access, or worse. To exploit the vulnerability a
user would either need to have a role with 'administer taxonomy' permission
or a site would need to use free tagging and a user would need the ability to
create a node that has free tagging enabled.
-------- VERSIONS AFFECTED
---------------------------------------------------

* Versions of Taxonomy Filter for Drupal 6.x prior to 6.x-1.1 [1]

Versions of Taxonomy Filter for Drupal 5.x are not affected. Drupal core is
not affected. If you do not use the 6.x version of the contributed Taxonomy
Filter module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------

Install the latest version:
* If you use Taxonomy Filter for Drupal 6.x upgrade to Taxonomy Filter
6.x-1.1 [2] or any later version.

Also see the Taxonomy Filter [3] project page.
-------- REPORTED BY
---------------------------------------------------------

* Dylan Wilder-Tack [4] of the Drupal security team.

-------- FIXED BY
------------------------------------------------------------

* Dylan Wilder-Tack [5] of the Drupal security team.
* Solotandem [6], the module maintainer

-------- CONTACT
-------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://drupal.org/node/622096
[2] http://drupal.org/node/622096
[3] http://drupal.org/project/taxonomy_filter
[4] http://drupal.org/user/96647
[5] http://drupal.org/user/96647
[6] http://drupal.org/user/240748

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-033 - Taxonomy Filter - Cross Site Scripting (XSS), security-news, 31.03.2010

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang