it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-101 - Watcher - Multiple Vulnerabilities
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-101 - Watcher - Multiple Vulnerabilities
- Date: Thu, 28 Oct 2010 04:58:01 +0000 (UTC)
- List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
- List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
* Advisory ID: DRUPAL-SA-CONTRIB-2010-101
* Project: Watcher
* Version: 5.x, 6.x
* Date: 2010-October-27
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Cross-site Scripting and Cross-site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
The Watcher module lets users subscribe to nodes so they receive email
notifications when comments are posted or nodes are changed. The Watcher
module did not sanitize some of the user supplied data before displaying it,
leading to a Cross Site Scripting (XSS [1]) vulnerability which can be used
by a malicious user to gain full administrative access. The Watcher module
did not protect the subscribe and unsubscribe links against Cross-site
Request Forgeries (CSRF [2]).
-------- VERSIONS AFFECTED
---------------------------------------------------
* Watcher for Drupal 5.x prior to Watcher 5.x-1.7
* Watcher for Drupal 6.x prior to Watcher 6.x-1.4
Drupal core is not affected. If you do not use the contributed Watcher [3],
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Watcher for Drupal 5.x upgrade to Watcher 5.x-1.7 [4]
* If you use Watcher for Drupal 6.x upgrade to Watcher 6.x-1.4 [5]
See also the Watcher [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Ivo Van Geertruyen (mr.baileys [7]) of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Jakob Persson (solipsist [8]), module maintainer
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal [9] can be reached at security at drupal.org or
via the form at http://drupal.org/contact [10].
Read more about the Security Team and Security Advisories at
http://drupal.org/security [11].
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://en.wikipedia.org/wiki/Csrf
[3] http://drupal.org/project/watcher
[4] http://drupal.org/node/953740
[5] http://drupal.org/node/953738
[6] http://drupal.org/project/watcher
[7] http://drupal.org/user/383424
[8] http://drupal.org/user/37564
[9] http://drupal.org/security-team
[10] http://drupal.org/contact
[11] http://drupal.org/security
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-101 - Watcher - Multiple Vulnerabilities, security-news, 28.10.2010
Archiv bereitgestellt durch MHonArc 2.6.19.