[安全公告]SA-2007-021: Project issue tracking

今天收到的邮件, 不知道为什么9月27号的安全公告今天才收到。
源文:布拉格公园:SA-2007-021- Project issue tracking
服了.....

公告序列: DRUPAL-SA-2007-021
project：Project issue tracking 　(第三方模组)
版 本: 4.7.x-1.x, 4.7.x-2.x, 5.x-1.x
日　 期: 2007-Sep-27
风险级别: 中度
利 用: 远程
漏 洞:跨站脚本(攻击)

这一个说的是drupal的一个第三方模组，叫做PROJECT ISSUE TRACKING的安全警告，官方建议采取积极措施避免安全隐藏。

受影响的版本有4.7.x-1.x, 4.7.x-2.x, 5.x-1.x　。

解决方案是安装最新的版本。

* 5.x-1.x:　　[ http://drupal.org/node/178976 ]

* 4.7.x-2.x:　 [ http://drupal.org/node/178979 ]

* 4.7.x-1.x:　 [ http://drupal.org/node/178981 ]

Quote:
------------SA-2007-021: PROJECT ISSUE TRACKING - XSS VULNERABILITIES IN
SUBSCRIPTION FORMS.------------

* Advisory ID: DRUPAL-SA-2007-021.

* Project: Project issue tracking (third-party module)

* Version: 4.7.x-1.x, 4.7.x-2.x, 5.x-1.x

* Date: 2007-Sep-27

* Security risk: Moderately critical

* Exploitable from: Remote

* Vulnerability: Cross-site scripting (XSS)

------------DESCRIPTION------------

The Project issue tracking [ http://drupal.org/project/project_issue ] module
provides a subscription functionality enabling users to sign up for e-mail
notification of issue updates. The subscriptions can be edited on both an
individual or overview form. Users who have permissions to create or edit
projects may be able to inject arbitrary code on these form pages.

Wikipedia has more information about cross site scripting [
http://en.wikipedia.org/wiki/Cross-site_scripting ] (XSS).

------------VERSIONS AFFECTED------------

* 5.x-1.x:

* Project issue tracking before version 5.x-1.1

* 4.7.x-2.x:

* Project issue tracking before version 4.7.x-2.5

* 4.7.x-1.x:

* Project issue tracking before version 4.7.x-1.5

Drupal core is not affected. If you do not use the contributed Project issue
tracking module, there is nothing you need to do.

------------SOLUTION------------

Install the latest version:

* 5.x-1.x:

* Project issue tracking 5.x-1.1 [ http://drupal.org/node/178976 ]

* 4.7.x-2.x:

* Project issue tracking 4.7.x-2.5 [ http://drupal.org/node/178979 ]

* 4.7.x-1.x:

* Project issue tracking 4.7.x-1.5 [ http://drupal.org/node/178981 ]

As a temporary solution, site administrators can disable (for untrusted users)
all permissions that allow creating or editing of projects.

------------REPORTED BY------------

Chad Phillips (hunmonk [ http://drupal.org/user/22079 ]) of the Drupal security
team.

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].

--
Unsubscribe from this newsletter: http://drupal.org/newsletter/confirm/remove/ac1115e48621147t44