![]() If you do not require or expect redirects to be followed, one should simply disable redirects all together. Users unable to upgrade may consider an alternative approach to use your own redirect middleware, rather than ours. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. What I discovered was a shocking bug which gives anyone with basic knowledge about HTML/SQL a full access to your Drupal site. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Therefore I decided to install older Drupal 7 version on my localhost and reverse engineer this bug. We now always strip it, and allow the cookie middleware to re-add any cookies that it deems should be there. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any `Cookie` header manually added to the initial request would not be stripped. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the `Cookie` header on. In affected versions the `Cookie` headers on requests are sensitive information. Coordinated By: Chris McCaffrey 8 of the Drupal Security Team Greg Knaddison 9 of the Drupal Security Team 1 https. The Drupal security team can be reached by email at security at or via the contact form. Security-news Anti Spam by CleanTalk - Moderately critical - SQL Injection - SA-CONTRIB-2022-032 security-news at security-news at Wed Mar 30 19:42. Solution: Install the latest version: If you use the Drupal OAuth Server module for Drupal 8.x, upgrade to 8.x-1.1 Reported By: Jakub Piasecki Fixed By. Cross-site scripting (XSS) vulnerability in index.php in PHP Running. This library has released a security update which impacts some Drupal configurations. x-0.1 for Drupal allows remote attackers to inject arbitrary web script or. Guzzle is an open source PHP HTTP client. The 8.x branch of the module is vulnerable to SQL injection. In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9 Drupal core uses the third-party PEAR ArchiveTar library. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |