[Hacklabs] [Fwd: [Security announcements] SA-2008-035 - Aggregation - Multiple vulnerabilities]

karlos g liberal (patxangas) patxangas at sindominio.net
Thu Jun 12 10:59:10 CEST 2008


Kaixo

No se que módulo esta instalado pero no hay que confundir el modulo Aggregator 
que esta en el core de drupal con el aggregation que es el que tiene el 
problema de seguridad. 

Salud
> estábamos usando este módulo en el drupal no?
>
> besitos
>
> tati
>
> -------- Mensaje original --------
> Asunto: [Security announcements] SA-2008-035 - Aggregation - Multiple
> vulnerabilities
> Fecha: Wed, 11 Jun 2008 20:53:54 +0000 (UTC)
> De: noreply en drupal.org
> Responder a: noreply en drupal.org
> Para: acracia en riseup.net
>
>
> ------------SA-2008-035 - AGGREGATION - MULTIPLE
> VULNERABILITIES------------
>
>  * Advisory ID: SA-2008-035
>
>  * Project: Aggregation (third-party module)
>
>  * Versions: 5.x
>
>  * Date: 2008-June-11
>
>  * Security risk: Highly critical
>
>  * Exploitable from: Remote
>
>  * Vulnerability: Multiple vulnerabilities
>
> ------------DESCRIPTION------------
>
> The Aggregation module syndicates content from external feeds saving them
> as nodes. A significant amount of vulnerabilities were discovered in the
> module:
>
> Cross site scripting - Numerous values are displayed without being properly
> escaped or filtered, which enables users to inject arbitrary HTML and
> script code on pages.
>
> SQL Injection - Numerous values are used in SQL strings without being
> properly
> sanitized.
>
> Arbitrary code execution - Maliciously constructed feeds can result in the
> upload of files with arbitrary extensions to the server. Whether this
> may lead
> to arbitrary code execution, depends on the exact server configuration.
>
> Access bypass - Incorrect implementation of the access control results in
> access bypass when node access modules (taxonomy access control, acl)
> are used.
>
> ------------VERSIONS AFFECTED------------
>
>  * Aggregation for Drupal 5.x prior to Aggregation 5.x-4.4
>
> Drupal core is not affected. If you do not use the contributed Aggregation
> module, there is nothing you need to do.
>
> ------------SOLUTION------------
>
> Install the latest version:
>
>  * If you currently use Aggregation 5.x, upgrade to Aggregation 5.x-4.4 [
> http://drupal.org/node/269184 ]
>
> See also the Aggregation project page [
> http://drupal.org/project/aggregation
> ].
>
> ------------REPORTED BY------------
>
> The cross site scripting issue was publicly reported by fonan [
> http://drupal.org/user/96515 ].
> The other issues were identified by Adam Light (aclight [
> http://drupal.org/user/86358 ]) and Heine Deelstra (Heine [
> http://drupal.org/user/17943 ]) of the Drupal security team.
>
> ------------CONTACT------------
>
> The security contact for Drupal can be reached at security at drupal.org
> or via
> the form at http://drupal.org/contact.


More information about the Hacklabs mailing list