CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
April 25th, 2008

Drupal Multiple XSS and Request Forgery Vulnerabilities

The application is prone to multiple cross-site scripting vulnerabilities because the software fails to sufficiently sanitize user-supplied input. The Internationalization module is also prone to cross-site request forgery attacks while performing node translations.

An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The attacker can exploit the cross-site request-forgery issue by tricking a victim into following a specially crafted HTTP request designed to perform some action on the attacker’s behalf using a victim’s currently active session. To exploit these issues, an attacker must entice an unsuspecting victim into following a malicious URI.

The vendor has released updates.

Vulnerable:

Drupal Localizer 5.x 3.3
Drupal Localizer 5.x 2.x-dev
Drupal Localizer 5.x 1.10
Drupal Internationalization 6.x 1.x-dev
Drupal Internationalization 5.x 2.2
Drupal Internationalization 5.x 1.x-dev

Not Vulnerable:

Drupal Localizer 5.x 3.4
Drupal Localizer 5.x 2.1
Drupal Localizer 5.x 1.11
Drupal Internationalization 6.x 1.0-beta1
Drupal Internationalization 5.x 2.3
Drupal Internationalization 5.x 1.1

Share this article with others:

More on CyberInsecure:
  • Facebook Mobile API XSS Vulnerability Used To Launch Spam Worm
  • Apple Patches Multiple Vulnerabilities In Safari 3.1.1
  • Nine Out Of Ten Websites Are Vulnerable To Attack
  • Multiple Cross-Site Scripting Vulnerabilities on EA Websites
  • Four Cross-scripting Vulnerabilities Found on Facebook Pose Serious Privacy Risk

    • Posted in Vulnerabilities, XSS | Print This Post Print This Post

    This entry was posted on Friday, April 25th, 2008 at 6:33 am and is filed under Vulnerabilities, XSS. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Drupal Multiple XSS and Request Forgery Vulnerabilities

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.

    « «
    » »