Drupal Türkiye'de Türkçe
Kullanıcı girişi
Sitede Ara
Hosting Firmamız
Pathauto eklentisinde XSS açığı
Pathauto eklentisindeki bir açıktan dolayı özel hazırlanmış bir linki ziyaret ettiğinizde Drupal sitenizdeki oturum bilgileriniz çalınabilmektedir.
Açık sadece Pathauto eklentisinde olup Drupal sitenizde kullanmıyorsanız sizin için bir sorun yok demektir. Pathauto kullananların
* Pathauto Drupal 4.6
[http://ftp.osuosl.org/pub/drupal/files/projects/pathauto-4.6.0.tar.gz]
* Pathauto Drupal 4.7
[http://ftp.osuosl.org/pub/drupal/files/projects/pathauto-4.7.0.tar.gz]
dosyalarını indirip eskisinin yerine kurmaları önerilir.
%site - %uri
Drupal Güvenlik listesinden gelen e-posta:
------------PATHAUTO CROSS SITE SCRIPTING VULNERABILITY------------
* Advisory ID: DRUPAL-SA-2006-018
* Project: Pathauto 4.6, 4.7
* Date: 2006-Sep-05
* Security risk: less critical
* Exploitable from: remote
* Vulnerability: Cross site scripting
------------DESCRIPTION------------
It is possible for a malicious user to execute XSS (Cross Site Scripting) by
enticing a victim to click on a specially crafted link. This may lead to
administrator access if certain conditions are met.
Learn more about XSS on Wikipedia
[http://en.wikipedia.org/wiki/Cross_site_scripting].
------------VERSIONS AFFECTED------------
Please check the CVS $Id$ fields in the file pathauto_node.inc to determine
whether the version you are running is vulnerable. Versions older than the
following are vulnerable:
* Drupal 4.6 - /* $Id: pathauto_node.inc,v 1.14.2.1 2006/08/30 19:16:25
greggles Exp $ */
* Drupal 4.7 - /* $Id: pathauto_node.inc,v 1.17.2.1 2006/08/30 20:29:16
greggles Exp $ */
Drupal core is not affected. If you do not use pathauto, there is nothing you
need to do.
------------SOLUTION------------
Install the latest version:
* Pathauto for Drupal 4.6
[http://ftp.osuosl.org/pub/drupal/files/projects/pathauto-4.6.0.tar.gz].
* Pathauto for Drupal 4.7
[http://ftp.osuosl.org/pub/drupal/files/projects/pathauto-4.7.0.tar.gz].
See also the pathauto project page [http://drupal.org/project/pathauto].
------------REPORTED BY------------
Erdem Köse
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via
the form at [http://drupal.org/contact].
Taxonomy upgrade extras:
This work is licensed under a Creative Commons Attribution-Share Alike 2.5 License.
Drupal is a registered trademark of Dries Buytaert.