Posted on: 2003/12/22 14:04
Re: Weblinks module security problem. Patch available ?
If you look at the article you'll see that it's been published today
and I'm just waking up: that's the reason why a patch hasn't been released yet...
Also, this site is not vulnerable
to this problem. The sample in the security advisory is just informative. Entering an url manually like this would just allow you to hijack your own account, so you can make people believe you are yourself (pretty deep sentence, isn't it
This is considered a security problem, as people are allowed to add links to the mylinks section.
- The auto-approve option is set to off. So any such link would be deleted by an admin before it is published
- We don't use the frame feature
So if you feel concerned about this issue, turn one of those 2 options off until I can get a coffee, I'll be working on it after