« Endersys ve LPI (Linux Professional Institute) iş birliği
Yazılım sürecinde test etme ve kullanılabilirlik »

Reported by Mustafa ULU

Yayınlanma 07 Kas 2009 Drupal , Güvenlik Leave a Comment
Tags:

Mart 2008′de rapor ettiğim bu güvenlik açığı Ekim 2009′da giderildi.

SA-CONTRIB-2009-081 – Abuse – Cross Site Scripting

The Abuse module enables users to flag nodes and comments as offensive, bringing them to the attention of the site maintainer for review. The module suffers from a Cross Site Scripting (Cross Site Scripting) vulnerability. Such an attack may lead to a malicious user gaining full administrative access.

O zaman gönderdiğim e-posta

Abuse module displays flagged nodes in a moderation queue without applying filters (without calling node_view) on them.

Module version: abuse 5.x-1.x-dev at (http://drupal.org/node/123349)

Steps to reproduce:

  • Install abuse.module.
  • Enable flagging of any content type at “admin/settings/abuse” page.
  • Flag a node by using “Flag as offensive” link on “node/#nid” page.
  • Go to “admin/content/abuse” page. Under any tab one can see unfiltered node contents.

0 Yanıt, “Reported by Mustafa ULU”

Bu yazı için besleme Geri İzleme Adresi

  1. Henüz Yorum Yok

Yorum yapın

« Endersys ve LPI (Linux Professional Institute) iş birliği
Yazılım sürecinde test etme ve kullanılabilirlik »
Blogküre

Promote Your Page Too

Şimdi

Top Rated

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

RSS mustafaulu.net's shared items in Google Reader

  • LPI Türkiye faaliyetleri başladı 02 Şub 2010
    View Poll Endersys olarak LPI sertifikasyonunun Türkiye’de yaygınlaşması için yoğun bir şekilde çalışmalara başladık. Yapılan bu işbirliği ile Endersys, LPI’ın Türkiye’de tanıtımını, eğitimlerinin verilmesini ve sertikasyon sınavlarının düzenlenmesini koordine edecek  Bu kapsamda bilişim eğitimi veren eğitim kurumları ile işbirlikleri kurulacak LPI sertifika […]
    ismail.yenigul
  • Dirty Harry 22 Oca 2010
    (author unknown)
  • Stand back! 16 Oca 2010
    Stand back! Iz goin to do science! Itteh Bitteh Science Committeh ascepts ur finings Picture by: dunno source Caption by: conbarbie via Our LOL Builder » Recaption This! » View All Captions
    Cheezburger Network
  • I was going to start procrastinating 15 Oca 2010
    I was going to start procrastinating today, but I figured I would wait until tomorrow to start. iz hard wurk doing wut i do. Picture by: Ken Burgner Caption by: Mac_Man via Advanced Lol Builder » Recaption This! » View All Captions
    Cheezburger Network
  • [ANNOUNCE] Apache OpenJPA 2.0.0-beta released 29 Oca 2010
    The Apache OpenJPA project is proud to release OpenJPA 2.0.0 Beta [1]. This distribution is based on the final JSR 317 Java Persistence API, Version 2.0 specification [2] and passes the JPA 2.0 TCK. This release includes many new features, enhancements and fixes; giving developers access to a JPA 2.0 compliant implementation, while maintaining backwards comp […]
    Donald Woods