[Secure-testing-team] Bug#567417: drupal6: SA-CONTRIB-2010-004 - Node block XSS attack
Pedro R
pedrib at gmail.com
Thu Jan 28 23:26:37 UTC 2010
Package: drupal6
Severity: critical
Tags: security
Justification: root security hole
The Node Block module creates a block from specified content type(s).
Node block doesn't properly escape titles allowing users with permissions
to create/edit the specified content type(s) to inject arbitrary code into
the site. Such a cross site scripting (XSS) attack may lead to a malicious
user gaining full administrative access.
The above is taken from http://drupal.org/node/683598
Your package is only affected if the Node Block module (from contributed
modules) is installed. Please let me know if this module is not present
in the drupal6 package.
Many regards,
Pedro
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (700, 'testing'), (650, 'unstable'), (600, 'experimental'), (500, 'testing-proposed-updates')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.33-rc5 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
More information about the Secure-testing-team
mailing list