FORM_MAIL MODULE ALLOWS ARBITRARY HEADER INJECTION
* Advisory ID: DRUPAL-SA-2006-009
* Project: form_mail
* Date: 2006-Jul-4
* Security risk: moderately critical
* Impact: security bypass
* Exploitable from: remote
* Vulnerability: mail header injection attack
------------DESCRIPTION------------
Linefeeds and carriage returns were not being stripped from email headers,
raising the possibility of bogus headers being inserted into outgoing email.
This could lead to sites being used to send unwanted email.
------------VERSIONS AFFECTED------------
form_mail versions prior to revision 1.8.2.2 on 27.6.2006
Drupal core is not affected.
------------SOLUTION------------
Download the latest version of form_mail: form_mail-4.6.0.tar.gz
http://ftp.osuosl.org/pub/drupal/files/projects/form_mail-4.6.0.tar.gz
------------REPORTED BY------------
Adam Gundry
------------CONTACT------------
form_mail.module 是說我的
form_mail.module
是說我的網站上怎麼沒這個檔?
某個4.6版的外掛模組
某個4.6版的外掛模組,沒有在原安裝套件裡:
http://drupal.org/project/form_mail