SA-CORE-2009-009 – Drupal Core – Cross site scripting

December 16, 2009 Drupal Security Team Leave a comment

Advisory ID: DRUPAL-SA-CORE-2009-009
Project: Drupal core
Version: 5.x, 6.x
Date: 2009-December-16
Security risk: Not critical
Exploitable from: Remote
Vulnerability: Cross site scripting

Description

Multiple vulnerabilities were discovered in Drupal.

Contact category name cross-site scripting

The Contact module does not correctly handle certain user input when displaying category information. Users privileged to create contact categories can insert arbitrary HTML and script code into the contact module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting (XSS).

This issue affects Drupal 6.x and Drupal 5.x.

Menu description cross-site scripting

The Menu module does not correctly handle certain user input when displaying the menu administration overview. Users privileged to create new menus can insert arbitrary HTML and script code into the menu module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting (XSS).

This issue affects Drupal 6.x only.

Versions affected

Drupal 5.x before version 5.21.
Drupal 6.x before version 6.15.

Solution

Install the latest version:

If you are running Drupal 6.x then upgrade to Drupal 6.15.
If you are running Drupal 5.x then upgrade to Drupal 5.21.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. Theses patches fix the security vulnerability, but do not contain other fixes which were released in Drupal 5.21 or Drupal 6.15.

To patch Drupal 6.14 use SA-CORE-2009-009-6.14.patch.
To patch Drupal 5.20 use SA-CORE-2009-009-5.20.patch.

Reported by

The contact category XSS issue was independently reported by mr.baileys and Justin Klein Keane.
The menu description XSS issue was reported by mr.baileys.

Fixed by

The contact category XSS issue was fixed by Justin Klein Keane and Dave Reid.
The menu description XSS issue was fixed by Gábor Hojtsy and Heine Deelstra.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Drupal version:

Drupal 5.x

Drupal 6.x

Apache

Conferma la tua richiesta di iscrizione a perlulivo

December 7, 2009 Yahoo! Gruppi <confirm-s2-eecdlcvukwi1ahar5rvg4css40rxcxgk-announce-archive=httpd.apache.org@yahoogroups.com> Leave a comment


Ciao announce-archive@httpd.apache.org,

Abbiamo ricevuto la tua richiesta di iscrizione al gruppo perlulivo 
uno dei gruppi che trovi su Yahoo! Gruppi, un servizio gratuito e
facile da usare per creare ed entrare a far parte di tante community.

Questa richiesta scade fra 7 giorni.

PER ISCRIVERTI AL GRUPPO DEVI: 

1) Andare su Yahoo! Gruppi cliccando su questo link:

   http://it.groups.yahoo.com/i?i=eecdlcvukwi1ahar5rvg4css40rxcxgk&e=announce-archive%40httpd%2Eapache%2Eorg


  (Se cliccando sul link non ti si apre una finestra di browser, prova
   a fare copiare l'indirizzo e incollarlo su una finestra di browser.)

-OPPURE-

2) RISPONDI a questo messaggio e-mail cliccando su pulsante "Rispondi"
   e poi su quelli di "Invia" sul tuo programma di posta

Se non hai richiesto questa iscrizione a perlulivo,
o non desideri piÃ¹ completarla, ignora questo messaggio..

Ciao,

Il team di Yahoo! Gruppi
L'utilizzo di Yahoo! Gruppi Ã¨ soggetto alle  http://it.docs.yahoo.com/info/utos.html

Apple

CVE-2009-4186

December 2, 2009 007admin Leave a comment

Stack consumption vulnerability in Apple Safari 4.0.3 on Windows allows remote attackers to cause a denial of service (application crash) via a long URI value (aka url) in the Cascading Style Sheets (CSS) background property. (CVSS:9.3) (Last Update:2009-12-04)

Totally Secure

Monthly Archives: December 2009