[Hacklabs] [Fwd: [Security announcements] SA-2008-035 - Aggregation - Multiple vulnerabilities]

acracia acracia at riseup.net
Wed Jun 11 23:04:38 CEST 2008


estábamos usando este módulo en el drupal no?

besitos

tati

-------- Mensaje original --------
Asunto: [Security announcements] SA-2008-035 - Aggregation - Multiple
vulnerabilities
Fecha: Wed, 11 Jun 2008 20:53:54 +0000 (UTC)
De: noreply at drupal.org
Responder a: noreply at drupal.org
Para: acracia at riseup.net


------------SA-2008-035 - AGGREGATION - MULTIPLE VULNERABILITIES------------

 * Advisory ID: SA-2008-035

 * Project: Aggregation (third-party module)

 * Versions: 5.x

 * Date: 2008-June-11

 * Security risk: Highly critical

 * Exploitable from: Remote

 * Vulnerability: Multiple vulnerabilities

------------DESCRIPTION------------

The Aggregation module syndicates content from external feeds saving them as
nodes. A significant amount of vulnerabilities were discovered in the
module:

Cross site scripting - Numerous values are displayed without being properly
escaped or filtered, which enables users to inject arbitrary HTML and script
code on pages.

SQL Injection - Numerous values are used in SQL strings without being
properly
sanitized.

Arbitrary code execution - Maliciously constructed feeds can result in the
upload of files with arbitrary extensions to the server. Whether this
may lead
to arbitrary code execution, depends on the exact server configuration.

Access bypass - Incorrect implementation of the access control results in
access bypass when node access modules (taxonomy access control, acl)
are used.

------------VERSIONS AFFECTED------------

 * Aggregation for Drupal 5.x prior to Aggregation 5.x-4.4

Drupal core is not affected. If you do not use the contributed Aggregation
module, there is nothing you need to do.

------------SOLUTION------------

Install the latest version:

 * If you currently use Aggregation 5.x, upgrade to Aggregation 5.x-4.4 [
http://drupal.org/node/269184 ]

See also the Aggregation project page [
http://drupal.org/project/aggregation
].

------------REPORTED BY------------

The cross site scripting issue was publicly reported by fonan [
http://drupal.org/user/96515 ].
The other issues were identified by Adam Light (aclight [
http://drupal.org/user/86358 ]) and Heine Deelstra (Heine [
http://drupal.org/user/17943 ]) of the Drupal security team.

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org
or via
the form at http://drupal.org/contact.



-- 
Unsubscribe from this newsletter:
http://drupal.org/newsletter/confirm/remove/cffdcc11013236t44



More information about the Hacklabs mailing list