Frontsite update 20081025

Here you may share your feedback on any of the online services we provide, or report technical issues that you may have encountered.

Moderator: Staff

User avatar
ElonNarai
Developer
Posts: 207
Joined: Sat Apr 19, 2008 2:43 pm
Location: Netherlands
Contact:

Frontsite update 20081025

Postby ElonNarai » Thu Oct 23, 2008 7:37 am

The frontsite will be updated on 2008-oktober-25
Current Status: NOT IN PROGRESS
BugTracker: #172

Drupal update 6.5 -> 6.6


Code: Select all

------------SA-2008-067 - DRUPAL CORE - MULTIPLE VULNERABILITIES------------

  * Advisory ID: DRUPAL-SA-2008-067

  * Project: Drupal core

  * Versions: 5.x and 6.x

  * Date: 2008-October-22

  * Security risk: Less Critical

  * Exploitable from: Local/Remote

  * Vulnerability: Multiple vulnerabilities

------------DESCRIPTION------------

Multiple vulnerabilities and weaknesses were discovered in Drupal.

------------FILE INCLUSION------------

On a server configured for IP-based virtual hosts, Drupal may be caused to include and execute specifically named files outside of its root directory.

This bug affects both Drupal 5 and Drupal 6.

------------CROSS SITE SCRIPTING------------

The title of book pages is not always properly escaped, enabling users with the "create book content" permission or the permission to edit any node in the book hierarchy to insert arbitrary HTML and script code into pages. Such a Cross site scripting [ http://en.wikipedia.org/wiki/Cross-site_scripting ] attack may lead to the attacker gaining administrator access.

This bug affects Drupal 6.

------------VERSIONS AFFECTED------------

  * Drupal 5.x before version 5.12

  * Drupal 6.x before version 6.6

------------SOLUTION------------

Install the latest version:

  * If you are running Drupal 5.x then upgrade to Drupal 5.12 [ http://ftp.drupal.org/files/projects/drupal-5.12.tar.gz ].

  * If you are running Drupal 6.x then upgrade to Drupal 6.6 [ http://ftp.drupal.org/files/projects/drupal-6.6.tar.gz ].

Note: the settings.php, robots.txt and .htaccess files have not changed and can be left as they are if upgrading from the current version of Drupal.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

  * To patch Drupal 5.11 use SA-2008-067-5.11.patch [ http://drupal.org/files/sa-2008-067/SA-2008-067-5.11.patch ].

  * To patch Drupal 6.5 use SA-2008-067-6.5.patch [ http://drupal.org/files/sa-2008-067/SA-2008-067-6.5.patch ].

------------REPORTED BY------------

  * The file inclusion vulnerability was reported by Anthony Ferrara

  * The cross site scripting issue was reported by Maarten van Grootel [
http://drupal.org/user/109716 ]

------------CONTACT------------

The security team for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ].

Return to “Online Services”

Who is online

Users browsing this forum: No registered users and 2 guests