Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-050 - CAPTCHA - Cross Site Scripting

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-050 - CAPTCHA - Cross Site Scripting


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-050 - CAPTCHA - Cross Site Scripting
  • Date: Wed, 19 May 2010 19:08:56 +0000 (UTC)
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
* Advisory ID: DRUPAL-SA-CONTRIB-2010-050
* Project: CAPTCHA (third-party module)
* Version: 5.x, 6.x
* Date: 2010-May-19
* Security risk: Not Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting

-------- DESCRIPTION
---------------------------------------------------------

The CAPTCHA module enables a site administrator to put a CAPTCHA form element
(a simple challenge that is easy for humans, but hard for automated spam
bots) on any form. The CAPTCHA module does not sanitize the CAPTCHA
description that is added as help text to the CAPTCHA form element, allowing
users with permissions to configure the CAPTCHA settings to insert arbitrary
HTML and script code. Such a cross site scripting (XSS [1]) attack may lead
to a malicious user gaining full administrative access. This vulnerability is
mitigated by the attacker needing the "administer CAPTCHA settings"
permission in order to exploit it.
-------- VERSIONS AFFECTED
---------------------------------------------------

* CAPTCHA module for Drupal 5.x versions prior to 5.x-3.3
* CAPTCHA module for Drupal 6.x versions prior to 6.x-2.2

Drupal core is not affected. If you do not use the contributed CAPTCHA [2]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------

Install the latest version:
* If you use CAPTCHA module for Drupal 5.x, update to CAPTCHA 5.x-3.3 [3].
* If you use CAPTCHA module for Drupal 6.x, update to CAPTCHA 6.x-2.2 [4].

See also the CAPTCHA project page [5].
-------- REPORTED BY
---------------------------------------------------------

mr.baileys [6]
-------- FIXED BY
------------------------------------------------------------

Stefaan Lippens [7] (soxofaan), the CAPTCHA module maintainer
-------- CONTACT
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/captcha
[3] http://drupal.org/node/802904
[4] http://drupal.org/node/802896
[5] http://drupal.org/project/captcha
[6] http://drupal.org/user/383424
[7] http://drupal.org/user/41478

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-050 - CAPTCHA - Cross Site Scripting, security-news, 19.05.2010

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang