Drupal kommentar-preview eksekvering af kode - Advisories

Software Inspectors

	Scan Online

	Personal (PSI)

	Network (NSI 2.0)

Solutions For

	Security Professionals

	Security Vendors

Free Solutions For

	Open Communities

	Journalists & Media

Secunia Advisories

	Search

	Historic Advisories

	Listed By Product

	Listed By Vendor

	Statistics / Graphs

	Secunia Research

	Report Vulnerability

	About Advisories

Virus Information

	Chronological List

	Last 10 Virus Alerts

	About Virus Information

Secunia Customers

	Customer Area

Drupal kommentar-preview eksekvering af kode

Secunia Advisory:	SA23960
Udsendt:	2007-01-30
Sidste Opdt.:	2007-02-15

Kritisk:	Meget kritisk
Betydning:	Systemadgang
Hvor:	Fra Internet
Løsning Status:	Producent Patch

Software:	Drupal 4.x Drupal 5.x

CVE reference:	CVE-2007-0626 (Secunia mirror)

	Want to know the next time vulnerabilities are fixed in this product? - Companies can be alerted via email and SMS!

Beskrivelse: Der er rapporteret en sårbarhed i Drupal, som kan udnyttes af ondsindede personer til at kompromittere et sårbart system. Sårbarheden skyldes en inputvalideringsfejl under håndteringen af kommentar-previews (suppleret i parameteren "comment" i Drupal 5.x eller parameteren "edit[comment]" i Drupal 4.x) og kan udnyttes til at eksekvere vilkårlig kode. Succesfuld udnyttelse forudsætter "post comments" rettigheder og tilgang til flere input-filtre (ikke standard-indstilling). Sårbarheden er rapporteret i Drupal 4.7.x tidligere end version 4.7.6 og Drupal 5.x tidligere end 5.1. Løsning: Installér patches, eller opdatér til version 4.7.6 eller 5.1. Patch for Drupal 4.7.5: http://drupal.org/files/sa-2007-005/SA-2007-005-4.7.5.patch Patch for Drupal 5.0: http://drupal.org/files/sa-2007-005/SA-2007-005-5.0.patch Drupal 4.7.6: http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.6.tar.gz Drupal 5.1: http://ftp.osuosl.org/pub/drupal/files/projects/drupal-5.1.tar.gz Rapporteret af / Kredit: Drupal Security Team Yderligere information fra str0ke. Forløb: 01-02-2007: Tilføjede CVE-reference. 15-02-2007: Opdaterede beskrivelsen. Original Advisory: http://drupal.org/node/113935



Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.

18 Relaterede Secunia Advisories, displaying 10

1. Drupal "taxonomy_select_nodes()" SQL-indsættelse

2. Drupal flere sårbarheder

3. Drupal kode-eksekvering og cross-site request forgery

4. Drupal cross-site scripting og CSRF-angreb

5. Drupal "Page Not Found" spoofing-svaghed og cross-site scripting

6. Drupal flere sårbarheder

7. Drupal "user.module" cross-site scripting

8. Drupal Taxonomy modul cross-site scripting

9. Drupal SQL-indsættelse og eksekvering af vilkårlige filer

10. Drupal "project.module" script-indsættelse

Vis alle relaterede advisories

Send Feedback to Secunia

Hvis du har ny information angående dette Secunia advisory eller et produkt i vores database, så send det venligst til os. Du kan sende det til os enten ved at bruge vores web formular eller ved at sende det til vuln@secunia.com. Ideer, foreslag og andet feedback er også meget velkommen.

Secunia PSI
Scan | Patch | Track
Free Download

Secunia Poll

Most Popular Advisories

1.	Xoops PopnupBlog Module "index.php" Cross-Site Scripting

2.	IBM DB2 CLR Stored Procedures Unspecified Vulnerability

3.	DriveCrypt Plus Pack Password Disclosure Security Issue

4.	Sharity Unspecified Vulnerability

5.	IBM Lotus Quickr Multiple Cross-Site Scripting Vulnerabilities

6.	Sun Solaris NFS RPC Zones Denial of Service

7.	Smart Survey "sid" Cross-Site Scripting Vulnerability

8.	HP Enterprise Discovery Unspecified Privilege Escalation

9.	K-Rate Premium Multiple Vulnerabilities

10.	Red Hat update for kernel