it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] SA-CONTRIB-2010-015 - Translation Management - Multiple Vulnerabilities
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] SA-CONTRIB-2010-015 - Translation Management - Multiple Vulnerabilities
- Date: Wed, 30 Mar 2011 20:53:08 +0000 (UTC)
- List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
- List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
* Advisory ID: DRUPAL-SA-CONTRIB-2011-015
* Project: Translation Management (third-party module)
* Version: 6.x
* Date: 2011-March-30
* Security risk: Critical (definition of risk levels) [1]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting, Cross Site Request Forgeries, SQL
Injection
-------- DESCRIPTION
---------------------------------------------------------
This Translation Management module helps to manage the process of translating
content on your site. The module has several vulnerabilities. It doesn't
sufficiently escape user text when printed to the browser nor when used in
database queries resulting in Cross Site Scripting (XSS) and SQL Injection
vulnerabilities. It doesn't use the form API nor Drupal's token system to
protect against Cross Site Request Forgeries (CSRF).
-------- VERSIONS AFFECTED
---------------------------------------------------
* Translation Management versions prior to 6.x-1.21
Drupal core is not affected. If you do not use the contributed Translation
Management [2] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Translation Management module for Drupal 6.x upgrade to
6.x-1.22 [3]
See also the Translation Management [4] project page.
-------- REPORTED BY
---------------------------------------------------------
* Dave Reid [5] of the Drupal Security Team
* Greg Dunlap [6]
-------- FIXED BY
------------------------------------------------------------
* Bruce Pearson [7] the module maintainer
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact. Learn more about the team and
their policies [8], writing secure code for Drupal [9], and secure
configuration [10] of your site.
[1] http://drupal.org/security-team/risk-levels
[2] http://drupal.org/project/translation_management
[3] http://drupal.org/node/1108848
[4] http://drupal.org/project/translation_management
[5] http://drupal.org/user/53892
[6] http://drupal.org/user/128537
[7] http://drupal.org/user/415674
[8] http://drupal.org/security-team
[9] http://drupal.org/writing-secure-code
[10] http://drupal.org/security/secure-configuration
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] SA-CONTRIB-2010-015 - Translation Management - Multiple Vulnerabilities, security-news, 30.03.2011
Archiv bereitgestellt durch MHonArc 2.6.19.