Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-087 - GovDelivery - Cross site scripting

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-087 - GovDelivery - Cross site scripting


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-087 - GovDelivery - Cross site scripting
  • Date: Wed, 11 Aug 2010 22:42:19 +0000 (UTC)
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
* Advisory ID: DRUPAL-SA-CONTRIB-2010-087
* Project: GovDelivery Integration (third-party module)
* Version: 6.x
* Date: 2010-Aug-11
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting

-------- DESCRIPTION
---------------------------------------------------------

The GovDelivery module provides integration with the GovDelivery On-Demand
Mailer service, a web service for GovDelivery customers that sends messages
directly based on configured account information. The module replaces the
backend of SMTP library in your Drupal site with calls to the GovDelivery
service, so all mail sent from your site uses the ODM service. The module
does not sanitize some of the user-supplied data before displaying it (for
Drupal 6.x-1.0 only), leading to a Cross Site Scripting (XSS) vulnerability
that may lead to a malicious user gaining full administrative access.
-------- VERSIONS AFFECTED
---------------------------------------------------

* GovDelivery module for Drupal 6.x versions prior to 6.x-1.1

Drupal core is not affected. If you do not use the contributed GovDelivery
Integration [1] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------

Install the latest version:
* If you use the GovDelivery module for Drupal 6.x upgrade to GovDelivery
6.x-1.1 [2]

See also the GovDelivery Integration project page [3].
-------- REPORTED BY
---------------------------------------------------------

* ben.bunk [4], module co-maintainer

-------- FIXED BY
------------------------------------------------------------

* ben.bunk [5], module co-maintainer

-------- CONTACT
-------------------------------------------------------------

The Drupal security team [6] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://drupal.org/project/govdelivery
[2] http://drupal.org/node/880684
[3] http://drupal.org/project/govdelivery
[4] http://drupal.org/user/764808
[5] http://drupal.org/user/764808
[6] http://drupal.org/security-team

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-087 - GovDelivery - Cross site scripting, security-news, 12.08.2010

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang