Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-110 - Drupal For Firebug - Cross-site Request Forgery

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-110 - Drupal For Firebug - Cross-site Request Forgery


Chronologisch Thread 
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-110 - Drupal For Firebug - Cross-site Request Forgery
  • Date: Wed, 15 Dec 2010 19:24:31 +0000 (UTC)
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>

* Advisory ID: DRUPAL-SA-CONTRIB-2010-110
* Project: Drupal For Firebug (third-party module)
* Version: 5.x, 6.x
* Date: 2010-Dec-15
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Cross-site Request Forgery

-------- DESCRIPTION
---------------------------------------------------------

The Drupal For Firebug module allows developers to use Firebug to get
debugging information about their Drupal installation.

The module does not properly protect the form used to submit PHP code against
Cross-site Request Forgeries (CSRF [1]), allowing a malicious user to trick
an authorized user into executing arbitrary PHP code.

-------- VERSIONS AFFECTED
---------------------------------------------------

* Drupal For Firebug 5.x versions prior to 5.x-1.5
* Drupal For Firebug 6.x versions prior to 6.x-1.4

Drupal core is not affected. If you do not use the contributed Drupal For
Firebug [2] module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

* If you use Drupal For Firebug 5.x, upgrade to Drupal For Firebug 5.x-1.5
[3]
* If you use Drupal For Firebug 6.x, upgrade to Drupal For Firebug 6.x-1.4
[4]

See also the Drupal For Firebug project page [5].

-------- REPORTED BY
---------------------------------------------------------

* mr.baileys [6] of the Drupal security team

-------- FIXED BY
------------------------------------------------------------

* Matt Cheney (populist [7]), module maintainer

-------- CONTACT
-------------------------------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
form at http://drupal.org/contact [8].


[1] http://en.wikipedia.org/wiki/Cross-site_request_forgery
[2] http://drupal.org/project/drupalforfirebug
[3] http://drupal.org/node/998568
[4] http://drupal.org/node/998566
[5] http://drupal.org/project/drupalforfirebug
[6] http://drupal.org/user/383424
[7] http://drupal.org/user/58600
[8] http://drupal.org/contact

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news



  • [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-110 - Drupal For Firebug - Cross-site Request Forgery, security-news, 15.12.2010

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang