CERTA-2008-AVI-488
Vulnerability from certfr_avis - Published: 2008-10-10 - Updated: 2008-10-10
Plusieurs vulnérabilités dans Drupal permettent de contourner la politique de sécurité et d'accéder à certains fichiers.
Description
Plusieurs vulnérabilités ont été découvertes dans Drupal :
- des utilisateurs non privilégiés peuvent attacher des fichiers au contenu (Drupal 6.x) ou récupérer des fichiers attachés au contenu (Drupal 5.x) ;
- un problème dans le module de gestion des utilisateurs permet de se connecter malgré des restrictions d'accès ;
- le module BlogAPI ne valide pas correctement certains champs ;
- une vulnérabilité dans le module node API permet de contourner la validation de certaines pages (Drupal 5.x).
Solution
Mettre Drupal à jour en version 5.11 ou 6.5 (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Drupal versions 6.x ant\u00e9rieures \u00e0 6.5.",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
},
{
"description": "Drupal versions 5.x ant\u00e9rieures \u00e0 5.11 ;",
"product": {
"name": "Drupal",
"vendor": {
"name": "Drupal",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Description\n\nPlusieurs vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Drupal :\n\n- des utilisateurs non privil\u00e9gi\u00e9s peuvent attacher des fichiers au\n contenu (Drupal 6.x) ou r\u00e9cup\u00e9rer des fichiers attach\u00e9s au contenu\n (Drupal 5.x) ;\n- un probl\u00e8me dans le module de gestion des utilisateurs permet de se\n connecter malgr\u00e9 des restrictions d\u0027acc\u00e8s ;\n- le module BlogAPI ne valide pas correctement certains champs ;\n- une vuln\u00e9rabilit\u00e9 dans le module node API permet de contourner la\n validation de certaines pages (Drupal 5.x).\n\n## Solution\n\nMettre Drupal \u00e0 jour en version 5.11 ou 6.5 (cf. section Documentation).\n",
"cves": [],
"initial_release_date": "2008-10-10T00:00:00",
"last_revision_date": "2008-10-10T00:00:00",
"links": [],
"reference": "CERTA-2008-AVI-488",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2008-10-10T00:00:00.000000"
}
],
"risks": [
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "Plusieurs vuln\u00e9rabilit\u00e9s dans \u003cspan class=\"textit\"\u003eDrupal\u003c/span\u003e\npermettent de contourner la politique de s\u00e9curit\u00e9 et d\u0027acc\u00e9der \u00e0\ncertains fichiers.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-2008-060 du 08 octobre 2008",
"url": "http://drupal.org/node/318706"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…