donty's picture

Hi All

This will sound like a whinge but, it looks like the Turnkey Drupal 6.11 may have a serious cross site scripting error which was patched and updated by Drupal on 13th May but hasnt made it into the Turnkey iso or repositories.

Just wondered since XSS is so big a pain whether it could be included quickly to avoid proliferation?

Thanks

Kevin

 

Forum: 
Liraz Siri's picture

Thanks for pointing this out. I'll talk to Alon about this tomorrow and see if we can test 6.12 for inclusion in our auto-updates repository. That version came out about a week after we had finished testing that the previous version (6.11) could be updated to automatically without issues.

FYI, though we realize both can have serious consequences, we usually consider XSS vulnerabilities to be of lower priority than remote execution vulnerabilities. Especially in the middle of a development cycle.

Anyhow, note that just like with any other installation of Drupal on Ubuntu you can always apply a patch by hand. We've been importing the Drupal packages from Debian unstable after we test them. You could always install that package and do the testing yourself. If possible report back to the community so we can build on your experience.

Alon Swartz's picture

I've been meaning to do this for a while now, just been busy with the upcoming release and as Liraz mentioned "we usually consider XSS vulnerabilities to be of lower priority than remote execution vulnerabilities".

Anyway, you can read more in the update announcements for drupal5 and drupal6.
donty's picture

That's great news, thanks. I know remote exec is worse but I have seen a fair bit of injection and xss resulting in 3rd party problems and harm to confidence and reputation esp when Google reports it as a dangerous site - so I might overplay it a bit but when its avoidable its best to avoid it ;-) Thanks for the quick response, as always! *Meant to say I did patch mine up from Drupal which meant I changed the default settings conf in the sites default directory which meant I got to understand more about multi-site operation which was a nice bonus for handcrafting ;-)

Add new comment