[DRUPAL-SA-2006-011] Drupal 4.7.3 / 4.6.9 fixes XSS issue Aug 03 2006 03:20PM
Uwe Hermann (uwe hermann-uwe de)
Drupal security advisory DRUPAL-SA-2006-011
Advisory ID: DRUPAL-SA-2006-011
Project: Drupal core
Date: 2006-Aug-02
Security risk: less critical
Impact: Drupal 4.6, Drupal 4.7
Where: from remote
Vulnerability: cross-site scripting


A malicious user can execute a cross site scripting attack by enticing
someone to visit a Drupal site via a specially crafted link.

Versions affected
- Drupal 4.6.x versions before Drupal 4.6.9
- Drupal 4.7.x versions before Drupal 4.7.3

If you are running Drupal 4.6.x then upgrade to Drupal 4.6.9
If you are running Drupal 4.7.x then upgrade to Drupal 4.7.3

To patch Drupal 4.6.8 use http://drupal.org/files/sa-2006-011/4.6.8.patch.
To patch Drupal 4.7.2 use http://drupal.org/files/sa-2006-011/4.7.2.patch.

Reported By
Ayman Hourieh

Note about Drupal 4.7.3 and custom themes or JavaScript

A bug in the form API theme layer made it possible to have an ID occur more
than once in a page. This invalidates the HTML, makes styling with CSS hard
or impossible, and can break JavaScript. A patch was committed to ensure
unique IDs.
This patch has a side-effect that IDs for hidden form fields in your site's
HTML will change. You might need to adapt your custom CSS or JavaScript, if
it refers to such a changed ID.

The security contact for Drupal can be reached at security (at) drupal (dot) org [email concealed]
or using the form at http://drupal.org/contact.
More information is available from http://drupal.org/security or from
our security RSS feed http://drupal.org/security/rss.xml.

// Uwe Hermann, on behalf of the Drupal Security Team.
Uwe Hermann
http://www.it-services-uh.de | http://www.crazy-hacks.org
http://www.holsham-traders.de | http://www.unmaintained-free-software.org
Version: GnuPG v1.4.3 (GNU/Linux)


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus