Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-051 - Heartbeat - Cross Site Scripting

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-051 - Heartbeat - Cross Site Scripting


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-051 - Heartbeat - Cross Site Scripting
  • Date: Wed, 19 May 2010 19:18:38 +0000 (UTC)
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
* Advisory ID: DRUPAL-SA-CONTRIB-2010-051
* Project: Heartbeat (third-party module)
* Version: 6.x
* Date: 2010-May-19
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting

-------- DESCRIPTION
---------------------------------------------------------

The Heartbeat project contains a suite of modules to display user activity on
a website. These modules do not properly sanitize some of their output,
allowing certain users the ability to insert arbitrary HTML and script code.
Such a cross site scripting (XSS [1]) attack may lead to a malicious user
gaining full administrative access. Depending on how the modules are
configured, this vulnerability may extend to relatively unprivileged users,
such as those with the ability to post comments, user "shouts" or other
content.
-------- VERSIONS AFFECTED
---------------------------------------------------

* Heartbeat for Drupal 6.x versions prior to 6.x-4.9

Drupal core is not affected. If you do not use the contributed Heartbeat [2]
modules, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------

Install the latest version:
* If you use the Heartbeat module for Drupal 6.x, update to Heartbeat
6.x-4.9 [3].

See also the Heartbeat project page [4].
-------- REPORTED BY
---------------------------------------------------------

Some aspects of the vulnerability were reported by Sebastian Szałachowski,
and others were reported by Jochen Stals [5] (Stalski), the module
maintainer.
-------- FIXED BY
------------------------------------------------------------

Jochen Stals [6] (Stalski), the module maintainer, and David Rothstein [7] of
the Drupal Security Team
-------- CONTACT
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/heartbeat
[3] http://drupal.org/node/802508
[4] http://drupal.org/project/heartbeat
[5] http://drupal.org/user/322618
[6] http://drupal.org/user/322618
[7] http://drupal.org/user/124982

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-051 - Heartbeat - Cross Site Scripting, security-news, 20.05.2010

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang