exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 22 of 22 RSS Feed

Files from Uwe Hermann

Email addressuwe at hermann-uwe.de
First Active2005-06-18
Last Active2007-01-31
DRUPAL-SA-2007-005.txt
Posted Jan 31, 2007
Authored by Uwe Hermann | Site drupal.org

Drupal security advisory - Previews on comments were not passed through normal form validation routines, enabling users with the 'post comments' permission and access to more than one input filter to execute arbitrary code. Affected include Drupal 4.7.x versions before Drupal 4.7.6 and Drupal 5.x versions before Drupal 5.1.

tags | advisory, arbitrary
SHA-256 | 2e86ad7cf732e48c2e546b4432795c4809c57b8a13758652be4bc9714527a906
DRUPAL-SA-2007-002.txt
Posted Jan 7, 2007
Authored by Uwe Hermann | Site drupal.org

Drupal security advisory - The way page caching was implemented allows a denial of service attack. An attacker has to have the ability to post content on the site. He or she would then be able to poison the page cache, so that it returns cached 404 page not found errors for existing pages. If the page cache is not enabled, your site is not vulnerable. The vulnerability only affects sites running on top of MySQL.

tags | advisory, denial of service
SHA-256 | 586514a30d2638ed99461f42690efaf3b811a03e2eafffba2aa3d38eb5218f2e
DRUPAL-SA-2007-001.txt
Posted Jan 7, 2007
Authored by Uwe Hermann | Site drupal.org

Drupal security advisory - A few arguments passed via URLs are not properly sanitized before display. When an attacker is able to entice an administrator to follow a specially crafted link, arbitrary HTML and script code can be injected and executed in the victim's session. Such an attack may lead to administrator access if certain conditions are met.

tags | advisory, arbitrary
SHA-256 | d4f4f67373a26f8122e427f493188ae9edcd921450b63a220e9b9cedb0051f07
DRUPAL-SA-2006-024.txt
Posted Oct 21, 2006
Authored by Uwe Hermann | Site drupal.org

Drupal security advisory - DRUPAL-SA-2006-024: Multiple XSS (cross site scripting) vulnerabilities have been discovered.

tags | advisory, vulnerability, xss
SHA-256 | 1aa675f91c66e69c739dbfa33817a0d04e6526d3a5f2b4c2b15192944ad977b4
DRUPAL-SA-2006-025.txt
Posted Oct 21, 2006
Authored by Uwe Hermann | Site drupal.org

Drupal security advisory DRUPAL-SA-2006-025: Visiting a specially crafted page, anywhere on the web, may allow that page to post forms to a Drupal site in the context of the visitor's session. To illustrate; suppose one has an active user 1 session, the most powerful administrator account for a site, to a Drupal site while visiting a website created by an attacker. This website will now be able to submit any form to the Drupal site with the privileges of user 1, either by enticing the user to submit a form or by automated means. An attacker can exploit this vulnerability by changing passwords, posting PHP code or creating new users, for example. The attack is only limited by the privileges of the session it executes in.

tags | advisory, web, php
SHA-256 | c2eab01fab47cd53866e412e9c040859163e8d5a1dfd064f8742b495b323b50a
DRUPAL-SA-2006-026.txt
Posted Oct 21, 2006
Authored by Uwe Hermann | Site drupal.org

Drupal security advisory DRUPAL-SA-2006-026: A malicious user may entice users to visit a specially crafted URL that may result in the redirection of Drupal form submission to a third-party site. A user visiting the user registration page via such a url, for example, will submit all data, such as his/her e-mail address, but also possible private profile data, to a third-party site.

tags | advisory
SHA-256 | aac4a667546b92b6c6ad5f65a8adf2bf591fd7078837743847a284bbb2d5ba58
DRUPAL-SA-2006-011.txt
Posted Aug 17, 2006
Authored by Uwe Hermann | Site drupal.org

Drupal security advisory DRUPAL-SA-2006-011: A malicious user can execute a cross site scripting attack by enticing someone to visit a Drupal site via a specially crafted link. Versions 4.6 and 4.7 are affected.

tags | advisory, xss
SHA-256 | 729acaa041bbcefdff3132971b083758ab50c3e1077bfab8676740ab791d7a63
DRUPAL-SA-2006-005.txt
Posted Jun 3, 2006
Authored by Uwe Hermann | Site drupal.org

Drupal security advisory DRUPAL-SA-2006-005: A security vulnerability in the database layer allowed certain queries to be submitted to the database without going through Drupal's query sanitizer.

tags | advisory
SHA-256 | 19af6d2e9e201f9bae66069a24d63bb1936da2526fa2a043cf13cfa495353f27
DRUPAL-SA-2006-008.txt
Posted Jun 3, 2006
Authored by Uwe Hermann | Site drupal.org

Drupal security advisory DRUPAL-SA-2006-008: Bart Jansens reported that it is possible for a malicious user to insert and execute XSS into free tagging terms, due to lack of validation on output of the page title. The fix wraps the display of terms in check_plain().

tags | advisory
SHA-256 | b0584638f5b9adbb1149a2a0377ce9f140df6fe298f84e5f8c229862801bc629
DRUPAL-SA-2006-007.txt
Posted Jun 3, 2006
Authored by Uwe Hermann | Site drupal.org

Drupal security advisory DRUPAL-SA-2006-007: Recently, the Drupal security team was informed of a potential exploit that would allow untrusted code to be executed upon a successful request by a malicious user. If a dynamic script with multiple extensions such as file.php.pps or file.sh.txt is uploaded and then accessed from a web browser under certain common Apache configurations, it will cause the script inside to be executed. We deemed this exploit critical and released Drupal 4.6.7 and 4.7.1 six hours after the report was filed. The fix was to create a .htaccess file to remove all dynamic script handlers, such as PHP, from the "files" directory.

tags | advisory, web, php
SHA-256 | 80255e976ff4dd047478820972ff5b573191bdf31f9141104f3845d0753acd3b
DRUPAL-SA-2006-006.txt
Posted Jun 3, 2006
Authored by Uwe Hermann | Site drupal.org

Drupal security advisory DRUPAL-SA-2006-006: Certain -- alas, typical -- configurations of Apache allow execution of carefully named arbitrary scripts in the files directory. Drupal now will attempt to automatically create a .htaccess file in your "files" directory to protect you.

tags | advisory, arbitrary
SHA-256 | 912163027c6bb36941cf7da0ba234a074978f1fa7d6a9468b1006f98299d31b5
DRUPAL-SA-2006-004.txt
Posted Mar 14, 2006
Authored by Uwe Hermann | Site hermann-uwe.de

Drupal security advisory - Linefeeds and carriage returns were not being stripped from email headers, raising the possibility of bogus headers being inserted into outgoing email. This could lead to Drupal sites being used to send unwanted email.

tags | advisory
SHA-256 | 1593c14061e40cbca8c0485ff8815eba5d4b704873ddee25db55fc17670c175f
DRUPAL-SA-2006-003.txt
Posted Mar 14, 2006
Authored by Uwe Hermann | Site hermann-uwe.de

Drupal security advisory - If someone creates a clever enough URL and convinces you to click on it, and you later log in but you do not log off then the attacker may be able to impersonate you.

tags | advisory
SHA-256 | 26113c5ba32f52f8db7685785893b4a4abc1f3d1aa53eeca7cd3a86b2f451d71
DRUPAL-SA-2006-002.txt
Posted Mar 14, 2006
Authored by Uwe Hermann | Site hermann-uwe.de

Drupal security advisory - Some user input sanity checking was missing. This could lead to possible cross-site scripting (XSS) attacks.

tags | advisory, xss
SHA-256 | 22f936336daa931de712205477052d81713d84109b43fdabb0f8356a104eef4d
DRUPAL-SA-2006-001.txt
Posted Mar 14, 2006
Authored by Uwe Hermann | Site hermann-uwe.de

Drupal security advisory - If you use menu.module to create a menu item, the page you point to will be accessible to all, even if it is an admin page.

tags | advisory
SHA-256 | f20adb72ea5aba1fdfa5c3383930de33cb89aed2f989f96dda0a5fe814bf3ee3
DRUPAL-SA-2005-009.txt
Posted Dec 3, 2005
Authored by Uwe Hermann | Site hermann-uwe.de

Drupal versions 4.6.0 through 4.6.3 suffer from an authentication bypass flaw when using PHP5.

tags | advisory
SHA-256 | 7a3173d83565d75a35fe66ad58972f59aa52440ff343ed08cf689d5678f0cbb5
DRUPAL-SA-2005-008.txt
Posted Dec 3, 2005
Authored by Uwe Hermann | Site hermann-uwe.de

Drupal versions 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3 suffer a script injection flaw via attached files.

tags | advisory
SHA-256 | 35ec66097d4c6335e28d0d8461f7643c24bda8158fd7cf7483a3784f08d8f0d4
DRUPAL-SA-2005-007.txt
Posted Dec 3, 2005
Authored by Uwe Hermann | Site hermann-uwe.de

Drupal versions 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3 suffer from cross site scripting flaws due to various quirks in interpretation of non-sensical attribute values.

tags | advisory, xss
SHA-256 | 38da2e32558d5e0702a8afa7f1fe5a808d08bed9886b36688f6b45d007ac9ff7
DRUPAL-SA-2005-004.txt
Posted Aug 17, 2005
Authored by Uwe Hermann | Site drupal.org

Stefan Esser of the Hardened-PHP Project reported a serious vulnerability in the third-party XML-RPC library included with some Drupal versions. An attacker could execute arbitrary PHP code on a target site.

tags | advisory, arbitrary, php
SHA-256 | f1693245942b10512ab9dd01ee950c7b7ead43979f7b2d80448b9875aa3599a3
DRUPAL-SA-2005-003.txt
Posted Jul 1, 2005
Authored by Uwe Hermann | Site drupal.org

A flaw has been discovered in the third-party XML-RPC library included with Drupal. An attacker could execute arbitrary PHP code on a target site.

tags | advisory, arbitrary, php
SHA-256 | c23af80afccc28c6e386c2d9c57c08cb7dcd67c51b1bdbfd76ab901c28db1291
DRUPAL-SA-2005-002.txt
Posted Jul 1, 2005
Authored by Uwe Hermann | Site drupal.org

Kuba Zygmunt discovered a flaw in the input validation routines of Drupal's filter mechanism. An attacker could execute arbitrary PHP code on a target site when public comments or postings are allowed.

tags | advisory, arbitrary, php
SHA-256 | 3cde9b7af7d34c526f434457021465af93437a68f76031f5ab71ab278732d190
DRUPAL-SA-2005-001.txt
Posted Jun 18, 2005
Authored by Uwe Hermann | Site drupal.org

The Drupal Security Team has found that the privilege system of Drupal can be circumvented in a very special case because an input check is not implemented properly.

tags | advisory
SHA-256 | f0dbedb768968931ebac535ca37bc4a6e5fc685740db2480bbd31599b8709b22
Page 1 of 1
Back1Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close