漏洞信息详情
Speedtech Storm Project HTML注入漏洞
- CNNVD编号:CNNVD-201006-012
- 危害等级: 中危
- CVE编号: CVE-2010-2123
- 漏洞类型: 跨站脚本
- 发布时间: 2010-06-03
- 威胁类型: 远程
- 更新时间: 2010-06-03
- 厂 商: speedtech
- 漏洞来源: Drupal
漏洞简介
Drupal是很著名的开源内容管理平台,仿照了blog程序模式,但比普通的blog更灵活,可以做各种网站的内容管理平台。
Drupal的Storm模块存在多个跨站脚本攻击漏洞。具有某些模块功能权限的远程认证用户可以通过多个参数注入任意的web脚本和HTML。这些参数包含:脚本index.php的stormorganization功能的参数(1) fullname, (2) address, (3) city, (4) provstate (aka state), (5) phone, 或者 (6) taxid;脚本index.php的stormperson功能的参数(7) name;脚本index.php的stormtask功能的参数(8) stepno (又称 Step no.) 或者 (9) title;脚本index.php的stormticket功能的参数title (又称 Project);或者脚本index.php的stormproject功能的未明参数。
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
Drupal Storm 6.x-1.16
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 6.x-1.8
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 6.x-1.22
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 6.x-1.4
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 6.x-1.18
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 6.x-1.31
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 6.x-1.14
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 6.x-1.27
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 6.x-1.0
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 6.x-1.11
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 6.x-1.26
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 6.x-1.12
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 6.x-1.23
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 6.x-1.9
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 6.x-1.32
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 5.x-1.10
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 6.x-1.30
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 6.x-1.1
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 5.x-1.3
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 5.x-1.2
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 6.x-1.7
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 5.x-1.5
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 6.x-1.29
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 6.x-1.5
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 5.x-1.1
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 6.x-1.17
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 5.x-1.4
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 5.x-1.11
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 6.x-1.24
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 5.x-1.13
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 6.x-1.10
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 5.x-1.9
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 6.x-1.2
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 5.x-1.14
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 5.x-1.7
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Storm 6.x-1.25
Drupal storm-6.x-1.33.tar.gz
http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
Drupal Stor
参考网址
来源: BID
名称: 40288
链接:http://www.securityfocus.com/bid/40288
来源: drupal.org
链接:http://drupal.org/node/803770
来源: XF
名称: drupal-storm-unspecified-xss(58717)
链接:http://xforce.iss.net/xforce/xfdb/58717
来源: OSVDB
名称: 64616
链接:http://www.osvdb.org/64616
来源: SECUNIA
名称: 39732
链接:http://secunia.com/advisories/39732
来源: FULLDISC
名称: 20100512 Drupal storm 1.32
链接:http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0160.HTML
受影响实体
- Speedtech Storm:5.X-1.X:Dev
- Speedtech Storm:5.X-1.1
- Speedtech Storm:5.X-1.2
- Speedtech Storm:5.X-1.3
- Speedtech Storm:5.X-1.4
补丁
暂无
评论