30 April 2009, 11:51
Security Update for Drupal
The developers of the Drupal content management system have released version 5.17 and 6.11 to close a cross site scripting vulnerability. The vulnerability can only be exploited if a browser interprets valid UTF8 byte sequences as UTF7. When this occurs they can become potentially dangerous. According to the report, this can include Internet Explorer 6 and in certain cases 7.
The new version also fixed a bug which allowed abuse through Cross-Site Request forgery. There are update patches available for the problems and the developers have published several advisories on vulnerabilities in extension modules from third parties.
See also:
- Drupal core - Cross site scripting
- Fivestar 0 Cross-site request forgery
- Node Access User Reference - Access bypass
- News Page - SQL Injection
- Exif - Cross site scripting
(djwm)
Print Version | Send by email
| Permalink: http://h-online.com/-741379
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
