Hello, we apologize but forum registrations are non-functional at this time. This issue should be fixed around mid-December. Until then, please stop by our Discord channel if you'd like to get in touch with the team. Thanks!

Frontsite update 20081025

Here you may share your feedback on any of the online services we provide, or report technical issues that you may have encountered.

Moderator: Staff

Post Reply
User avatar
Posts: 207
Joined: Sat Apr 19, 2008 8:43 am
Location: Netherlands

Frontsite update 20081025

Post by ElonNarai » Thu Oct 23, 2008 1:37 am

The frontsite will be updated on 2008-oktober-25
Current Status: NOT IN PROGRESS
BugTracker: #172

Drupal update 6.5 -> 6.6

Code: Select all

------------SA-2008-067 - DRUPAL CORE - MULTIPLE VULNERABILITIES------------

  * Advisory ID: DRUPAL-SA-2008-067

  * Project: Drupal core

  * Versions: 5.x and 6.x

  * Date: 2008-October-22

  * Security risk: Less Critical

  * Exploitable from: Local/Remote

  * Vulnerability: Multiple vulnerabilities


Multiple vulnerabilities and weaknesses were discovered in Drupal.

------------FILE INCLUSION------------

On a server configured for IP-based virtual hosts, Drupal may be caused to include and execute specifically named files outside of its root directory. 

This bug affects both Drupal 5 and Drupal 6.

------------CROSS SITE SCRIPTING------------

The title of book pages is not always properly escaped, enabling users with the "create book content" permission or the permission to edit any node in the book hierarchy to insert arbitrary HTML and script code into pages. Such a Cross site scripting [ http://en.wikipedia.org/wiki/Cross-site_scripting ] attack may lead to the attacker gaining administrator access.

This bug affects Drupal 6.

------------VERSIONS AFFECTED------------

  * Drupal 5.x before version 5.12

  * Drupal 6.x before version 6.6


Install the latest version:

  * If you are running Drupal 5.x then upgrade to Drupal 5.12 [ http://ftp.drupal.org/files/projects/drupal-5.12.tar.gz ].

  * If you are running Drupal 6.x then upgrade to Drupal 6.6 [ http://ftp.drupal.org/files/projects/drupal-6.6.tar.gz ].

Note: the settings.php, robots.txt and .htaccess files have not changed and can be left as they are if upgrading from the current version of Drupal.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

  * To patch Drupal 5.11 use SA-2008-067-5.11.patch [ http://drupal.org/files/sa-2008-067/SA-2008-067-5.11.patch ].

  * To patch Drupal 6.5 use SA-2008-067-6.5.patch [ http://drupal.org/files/sa-2008-067/SA-2008-067-6.5.patch ].

------------REPORTED BY------------

  * The file inclusion vulnerability was reported by Anthony Ferrara

  * The cross site scripting issue was reported by Maarten van Grootel [
http://drupal.org/user/109716 ]


The security team for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ].
Post Reply