Drupal Multiple XSS and Request Forgery Vulnerabilities

April 25th, 2008

Drupal Multiple XSS and Request Forgery Vulnerabilities

The application is prone to multiple cross-site scripting vulnerabilities because the software fails to sufficiently sanitize user-supplied input. The Internationalization module is also prone to cross-site request forgery attacks while performing node translations.

An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The attacker can exploit the cross-site request-forgery issue by tricking a victim into following a specially crafted HTTP request designed to perform some action on the attacker’s behalf using a victim’s currently active session. To exploit these issues, an attacker must entice an unsuspecting victim into following a malicious URI.

The vendor has released updates.

Vulnerable:

Drupal Localizer 5.x 3.3
Drupal Localizer 5.x 2.x-dev
Drupal Localizer 5.x 1.10
Drupal Internationalization 6.x 1.x-dev
Drupal Internationalization 5.x 2.2
Drupal Internationalization 5.x 1.x-dev

Not Vulnerable:

Drupal Localizer 5.x 3.4
Drupal Localizer 5.x 2.1
Drupal Localizer 5.x 1.11
Drupal Internationalization 6.x 1.0-beta1
Drupal Internationalization 5.x 2.3
Drupal Internationalization 5.x 1.1

Email, Bookmark or Share:

More on CyberInsecure:

Apple Patches Multiple Vulnerabilities In Safari 3.1.1

Multiple Cross-Site Scripting Vulnerabilities on EA Websites

Nine Out Of Ten Websites Are Vulnerable To Attack

McAfee “Hacker Safe” Certified Websites Found To Be Vulnerable

40 Security Flaws Fixed In Mac OS X Security Update 2008-007

Posted in Vulnerabilities, XSS |

Print This Post

This entry was posted on Friday, April 25th, 2008 at 6:33 am and is filed under Vulnerabilities, XSS. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

If you found this information useful, consider linking to it from your own website.
Just copy and paste the code below into your website (Ctrl+C to copy)
It will look like this: Drupal Multiple XSS and Request Forgery Vulnerabilities

Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

Latest Virus Descriptions

Trojan-Downloader.JS.Small.fi 29 Oct 2008 20:03:00 +030
This Trojan downloads other files via the Internet and launches them for execution on the victim machine. The program is an HTML page which contains Java Script scenarios. It is 1432 bytes in size.
Trojan-PSW.Win32.OnLineGames.sxa 29 Oct 2008 20:01:00 +030
This malicious program is a Trojan. It is a Windows PE EXE file. It is 118103 bytes in size. Installation The Trojan copies its executable file to the Windows system directory: %System%\kavo.exe In order to ensure that the Trojan is launched automatically each time the system is restarted, the…
Trojan-PSW.Win32.OnLineGames.lfi 29 Oct 2008 20:00:00 +030
This malicious program is a Trojan. It is a Windows PE EXE file. It is 123873 bytes in size. Installation The Trojan copies its executable file to the Windows system directory: %System%\amvo.exe In order to ensure that the Trojan is launched automatically each time the system is restarted, the…
Trojan-Downloader_Win32_Agent.nmi 29 Oct 2008 19:59:00 +030
This Trojan downloads another program via the Internet and launches it on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. The size of infected files can range from 18KB to 47KB.
Trojan-Downloader.Win32.Braidupdate.c 28 Oct 2008 15:54:00 +030
This Trojan downloads another program via the Internet and launches it on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. It is 79360 bytes in size. It is written in C++. Installation In order to ensure that the Trojan is launched automatically each…
Trojan-Downloader.JS.Agent.sg 28 Oct 2008 15:52:00 +030
This Trojan downloads other files via the Internet and launches them for execution on the victim machine. It is an HTML page which contains Visual Basic Script and Java Script. It is 677 bytes in size.
Trojan-GameThief.Win32.OnLineGames.tnys 28 Oct 2008 15:48:00 +030
This Trojan is designed to steal account data from the online game LineAge2. It is a Windows PE EXE file. It is 654848 bytes in size.
Trojan-PSW.Win32.OnLineGames.rlh 28 Oct 2008 15:39:00 +030
This malicious program is a Trojan. It is a Windows PE EXE file. It is 112736 bytes in size. Installation The Trojan copies its executable file to the Windows system directory: %System%\kavo.exe In order to ensure that the Trojan is launched automatically each time the system is restarted, the…
Trojan-Downloader.Win32.Delf.cgx 20 Oct 2008 15:56:00 +030
This Trojan downloads other files via the Internet and launches them for execution on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. It is 48128 bytes in size. It is packed using PECompact. The unpacked file is approximately 131KB in size. It is…
Backdoor.Win32.Small.x 20 Oct 2008 15:54:00 +030
This Trojan provides a remote malicious user with access to the victim machine. It is a Windows PE EXE file. It is 1087 bytes in size.

CyberInsecure.com

Drupal Multiple XSS and Request Forgery Vulnerabilities

Leave a Reply

Categories

Archives

Links

Internet Threat Level

Recent Entries

Vendor Security Alerts

Subscribe

Members

Latest Virus Descriptions