seguridad

Aviso de seguridad: CCK comment reference (third-party module)

Submitted by oskar on Jue, 16/04/2009 - 10:22

* Advisory ID: DRUPAL-SA-CONTRIB-2009-021
* Project: CCK comment reference (third-party module)
* Version: 6.x
* Date: 2009 April 15
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross-site scripting (XSS)

-------- DESCRIPTION ---------------------------------------------------------

CCK comment reference project, lets administrators define node fields that
are references to comments. When displaying a node edit form, the titles of
candidate referenced comments are not properly filtered, allowing malicious

Aviso de seguridad: Printer, e-mail and PDF versions

Submitted by oskar on Jue, 16/04/2009 - 10:21

* Advisory ID: DRUPAL-SA-CONTRIB-2009-020
* Project: Printer, e-mail and PDF versions (third-party module)
* Version: 5.x, 6.x
* Date: 2009-April-15
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross-site scripting (XSS)

-------- DESCRIPTION ---------------------------------------------------------

The Printer, e-mail and PDF versions ("Print") module provides
printer-friendly versions of content. The module does not correctly escape
content titles, enabling malicious users to insert arbitrary HTML and scripts

Aviso de seguridad: Localization client (third-party module)

Submitted by oskar on Jue, 16/04/2009 - 10:19

* Advisory ID: DRUPAL-SA-CONTRIB-2009-019
* Project: Localization client (third-party module)
* Versions: 5.x, 6.x
* Date: 2009-April-15
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross-site scripting (XSS)

-------- DESCRIPTION ---------------------------------------------------------

The Localization client module allows you to translate the interface of your
Drupal site from within each page as you go. When displaying translatable
strings and their completed translations, the module does not escape the

aviso de Seguridad: ---- DRUPAL-SA-CONTRIB-2009-005 - VIEWS BULK OPERATIONS - CROSS SITE SCRIPTING

Submitted by oskar on Jue, 05/02/2009 - 11:06

---- DRUPAL-SA-CONTRIB-2009-005 - VIEWS BULK OPERATIONS - CROSS SITE SCRIPTING
----

* Advisory ID: DRUPAL-SA-CONTRIB-2009-005

* Project: Views bulk operations (third-party module)

* Version: 5.x, 6.x

* Date: 2009 February 04

* Security risk: Less critical

* Exploitable from: Remote

* Vulnerability: Cross-site scripting (XSS)

---- DESCRIPTION ----

Views bulk operations augments Views by enabling bulk operations to be executed
on the content displayed by a view. Views bulk operations does not properly

cookies en Drupal, modificar el tiempo de vida de las mismas.

Submitted by oskar on Jue, 31/07/2008 - 10:51

Drupal tiene un sistema completo de gestión de sesiones, para una visión más completa recomiendo leer el capitulo 16 del Pro Drupal Development.

Si queremos que las cookies de Drupal no "vivan" tanto tiempo en nuestro equipo yo recomiendo usar firefox, y configurar el navegador para que borre cookies, y el histórico cada vez que se cierre. Si no queréis hacerlo, el usuario solo usa IE (pobre de él), o hay otros motivos para no poder hacerlo la solución es modificar el tiempo de vida de las cookies de Drupal.

Distribuir contenido