lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20061019170801.GD26217@greenwood>
Date: Thu, 19 Oct 2006 19:08:01 +0200
From: Uwe Hermann <uwe@...mann-uwe.de>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk,
	phpsec@...arch.com
Subject: [DRUPAL-SA-2006-024] Drupal 4.6.10 / 4.7.4 fixes multiple XSS issues

----------------------------------------------------------------------------
Drupal security advisory                                  DRUPAL-SA-2006-024
----------------------------------------------------------------------------
Project:          Drupal core
Date:             2006-Oct-18
Security risk:    Moderately critical
Exploitable from: Remote
Vulnerability:    Cross site scripting
----------------------------------------------------------------------------
 
Description
-----------
Multiple XSS (cross site scripting) vulnerabilities have been discovered.

A bug in input validation and lack of output validation allows HTML and script 
insertion on several pages.

Drupal's XML parser passes unescaped data to watchdog under certain 
circumstances. A malicious user may execute an XSS attack via a specially 
crafted RSS feed. This vulnerability exists on systems that do not use PHP's 
mb_string extension (to check if mb_string is being used, navigate to 
admin/settings and look under "String handling"). Disabling the aggregator 
module provides an immediate workaround.

The aggregator module, profile module, and forum module do not properly escape 
output of certain fields.

Note: XSS attacks may lead to administrator access if certain conditions are 
met.
 
 
Versions affected
-----------------
- Drupal 4.6.x versions before Drupal 4.6.10
- Drupal 4.7.x versions before Drupal 4.7.4

Solution
--------
- If you are running Drupal 4.6.x then upgrade to Drupal 4.6.10.
   http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz
- If you are running Drupal 4.7.x then upgrade to Drupal 4.7.4.
   http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz

- To patch Drupal 4.6.9 use http://drupal.org/files/sa-2006-024/4.6.9.patch.
- To patch Drupal 4.7.3 use http://drupal.org/files/sa-2006-024/4.7.3.patch.

Please note that the patches only contain changes related to this advisory, and 
do not fix bugs that were solved in 4.6.10 or 4.7.4.

Reported by
-----------
- The XML parser vulnerability was reported by Erdem Köse.
- The forum module vulnerability was reported by Jim Phlew.
- The other vulnerabilities were found by members of the Drupal security team.

Contact
-------
The security contact for Drupal can be reached at security at drupal.org or 
using the form at http://drupal.org/contact.


// Uwe Hermann, on behalf of the Drupal Security Team.
-- 
Uwe Hermann 
http://www.hermann-uwe.de
http://www.it-services-uh.de  | http://www.crazy-hacks.org 
http://www.holsham-traders.de | http://www.unmaintained-free-software.org

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ