250737 – www-apps/drupal < 6.7 and < 5.13 Cross-Site Request Forgery and Script Insertion

Bug 250737 - www-apps/drupal < 6.7 and < 5.13 Cross-Site Request Forgery and Script Insertion

Summary: www-apps/drupal < 6.7 and < 5.13 Cross-Site Request Forgery and Script Insertion

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High trivial (vote)
Assignee:	Gentoo Security

URL:	http://drupal.org/node/345441
Whiteboard:	~4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2008-12-12 19:19 UTC by Bruno Buss
Modified:	2008-12-12 23:11 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bruno Buss 2008-12-12 19:19:52 UTC

From official site:
http://drupal.org/node/345441

And Secunia:
http://secunia.com/Advisories/33112/


Drupal Team already released 6.8 and 5.14, i think we just need a version bump, so i'm putting [ebuild] keyword.

I'm also putting ~2 because, from Secunia:
2) The application does not completely remove deleted input formats. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.

Comment 1 Tobias Heinlein (RETIRED) gentoo-dev

2008-12-12 21:03:43 UTC

Thanks for the report. However, "execute arbitrary HTML and script code" is ~4; ~2 would be execution of arbitrary shell code.

Comment 2 Bruno Buss 2008-12-12 22:08:29 UTC

Ok, changing it to ~4.

Peter already uploaded 6.7 and 5.13 ebuilds to CVS.

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2008-12-12 23:11:58 UTC

yay... noglsa!