Drupal Security Patches - upgrades available
Drupal has today announced Version 5.8 and 6.3, releasing security patches to fix some security flaws.
Here is the announcement:
Multiple vulnerabities and weaknesses were discovered in Drupal. Neither of these are readily exploitable.
CROSS SITE SCRIPTING
Free tagging taxonomy terms can be used to insert arbitrary script and HTML code (cross site scripting [ http://en.wikipedia.org/wiki/Cross-site_scripting ] or XSS) on node preview pages. A successful exploit requires that the victim selects a term containing script code and chooses to preview the node. This issue affects Drupal 6.x only.
Some values from OpenID [ http://openid.net/what/ ] providers are output without being properly escaped, allowing malicious providers to insert arbitrary script and HTML code (XSS) into user pages. This issue affects Drupal 6.x only.
filter_xss_admin() has been hardened to prevent use of the object HTML tag in administrator input.
CROSS SITE REQUEST FORGERIES
Translated strings (5.x, 6.x) and OpenID identities (6.x) are immediately deleted upon accessing a properly formatted URL, making such deletion vulnerable to cross site request forgeries [ http://en.wikipedia.org/wiki/Cross-site_request_forgery ] (CSRF). This may lead to unintended deletion of translated strings or OpenID identities when a sufficiently privileged user visits a page or site created by a malicious person.
SESSION FIXATION
When contributed modules such as Workflow NG terminate the current request during a login event, user module is not able to regenerate the user's session.
This may lead to a session fixation attack [ http://en.wikipedia.org/wiki/Session_fixation ], when a malicious user is able to control another users' initial session ID. As the session is not regenerated, the malicious user may use the 'fixed' session ID after the victim authenticates and will have the same access. This issue affects both Drupal 5 and Drupal 6.
SQL INJECTION
Schema API uses an inappropriate placeholder for 'numeric' fields enabling SQL injection [ http://en.wikipedia.org/wiki/SQL_injection ] when user-supplied data is used for such fields.This issue affects Drupal 6 only.
------------VERSIONS AFFECTED------------
* Drupal 5.x before version 5.8
* Drupal 6.x before version 6.3
------------SOLUTION------------
Install the latest version:
We will be migrating our clients Drupal installations to these new versions shortly.
Site Construction and Maintenance by Jethro Consultants
Gidday
Glad to have you stop in.
I write about my family, the internet, technology and gadgets, productivity with Microsoft Office applications Excel Tips and more.
Instagram Feed
Find Us On...
Subscribe by RSS
Copyright Notice. All documents and text contained in this web site www.spyjournal.biz and sub pages is copyright material of Timothy Miller © unless noted as being copyright material of someone else. No public reproduction of the content on this site in any form is permitted without express written permission. Privacy Policy
Recent comments
10 years 23 weeks ago
10 years 23 weeks ago
10 years 25 weeks ago
10 years 25 weeks ago
10 years 25 weeks ago
10 years 25 weeks ago
10 years 25 weeks ago
10 years 25 weeks ago
10 years 25 weeks ago
10 years 25 weeks ago