---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Drupal LDAP Integration Module Multiple Vulnerabilities SECUNIA ADVISORY ID: SA37198 VERIFY ADVISORY: http://secunia.com/advisories/37198/ DESCRIPTION: Some vulnerabilities have been reported in the LDAP Integration module for Drupal, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct cross-site request forgery attacks and bypass certain security restrictions. 1) Certain input passed to user defined server names is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed. 2) The module allows users to perform certain actions via HTTP requests without performing any validation checks to verify the requests. This can be exploited to e.g. activate or deactivate an LDAP server. 3) An error in the handling of access permissions of user LDAP data can be exploited to access otherwise restricted content. 4) An error in the handling of access permissions of user management can be exploited to access otherwise restricted content. The vulnerabilities are reported in versions prior to 6.x-1.0-beta2 and 5.x-1.5. SOLUTION: LDAP Integration 6.x: Update to 6.x-1.0-beta2 http://drupal.org/node/615898 LDAP Integration 5.x: Update to 5.x-1.5 http://drupal.org/node/615900 PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Jakub Suchy of the Drupal Security Team. 2) The vendor credits Stéphane Corlosquet of the Drupal Security Team. 3) The vendor credits Christian A. Reiter and Matt Vance. 4) The vendor credits Kevin Murphy. ORIGINAL ADVISORY: SA-CONTRIB-2009-084: http://drupal.org/node/617386 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------