Downloads

Download tar.gz 8.12 KB
MD5: c74076ede54f235f7ce6e03cc426c06f
SHA-1: 7ff90a0bf31dec74b38b50353b3a2221bfac457b
SHA-256: de8102981843a52610557677d40651df4412da69d1cd41e890353d0d4938553b
Download zip 8.96 KB
MD5: 0658ce03c4dbf8b47ec90566f2e124b0
SHA-1: 6508913126616de1b734feb9880e915d35791ffc
SHA-256: 8bda0058f25777f2523b6dcfa3e281eb13f4047a817e5bd00e714f4aad187f10

Release notes

Fix for SA-CONTRIB-2011-039 - Bot Alarm - Multiple vulnerabilities

Vulnerability: Cross Site Scripting

The module does not properly escape the message and channels of alarms in pages listing the alarms, leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission 'administer bot'.

Vulnerability: Cross Site Request Forgery

The module does not check for any one-time-use tokens when deleting an alarm, leading to a Cross Site Request Forgery (CSRF ) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission 'administer bot'.

Created by: pifantastic
Created on: 31 Aug 2011 at 16:14 UTC
Last updated: 31 Aug 2011 at 18:14 UTC
Git tag 6.x-1.2
Security update
Unsupported

Other releases