it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-091 - Mollom - Information Disclosure
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-091 - Mollom - Information Disclosure
- Date: Wed, 15 Sep 2010 15:44:42 +0000 (UTC)
- List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
- List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
* Advisory ID: DRUPAL-SA-CONTRIB-2010-091
* Project: Mollom (third-party module)
* Version: 6.x
* Date: 2010-September-15
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Information Disclosure
-------- DESCRIPTION
---------------------------------------------------------
The Mollom module provides a combination of CAPTCHA challenges with text
analysis to intelligently block spam. In some configurations, sensitive user
data (e.g., a user's plain-text password) might be logged through calls to
Drupal's watchdog API. This vulnerability is mitigated by the fact that this
information would only be disclosed to users with access to view log
messages, usually a role with the 'access site reports' permission or access
to system syslog files, which should generally only be granted to trusted
users.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Mollom module for Drupal 6.x versions prior to 6.x-1.14
Mollom for Drupal 5.x is not affected, but the alpha Mollom release for
Drupal 7.x is affected. Drupal core is not affected. If you do not use the
contributed Mollom module there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Mollom module for Drupal 6.x upgrade to the 6.x-1.14
version [1]
See also the Mollom project page [2].
-------- REPORTED BY
---------------------------------------------------------
* Katherine Senzee (ksenzee) [3]
-------- FIXED BY
------------------------------------------------------------
* Daniel Kudwien (sun) [4], module co-maintainer
* Dries [5], module co-maintainer
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [6] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/node/912420
[2] http://drupal.org/project/mollom
[3] http://drupal.org/user/139855
[4] http://drupal.org/user/54136
[5] http://drupal.org/user/1
[6] http://drupal.org/security-team
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-091 - Mollom - Information Disclosure, security-news, 15.09.2010
Archiv bereitgestellt durch MHonArc 2.6.19.