Pedro R
2010-Jan-28 23:26 UTC
[Secure-testing-team] Bug#567417: drupal6: SA-CONTRIB-2010-004 - Node block XSS attack
Package: drupal6 Severity: critical Tags: security Justification: root security hole The Node Block module creates a block from specified content type(s). Node block doesn''t properly escape titles allowing users with permissions to create/edit the specified content type(s) to inject arbitrary code into the site. Such a cross site scripting (XSS) attack may lead to a malicious user gaining full administrative access. The above is taken from http://drupal.org/node/683598 Your package is only affected if the Node Block module (from contributed modules) is installed. Please let me know if this module is not present in the drupal6 package. Many regards, Pedro -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (700, ''testing''), (650, ''unstable''), (600, ''experimental''), (500, ''testing-proposed-updates'') Architecture: amd64 (x86_64) Kernel: Linux 2.6.33-rc5 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash