TITLE:
Drupal Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA17824

VERIFY ADVISORY:
http://secunia.com/advisories/17824/

CRITICAL:
Moderately critical

IMPACT:
Security Bypass, Cross Site Scripting

WHERE:
>From remote

SOFTWARE:
Drupal 4.x
http://secunia.com/product/342/

DESCRIPTION:
Some vulnerabilities have been reported in Drupal, which can be
exploited by malicious people to bypass certain security
restrictions, and conduct script insertion and HTTP response
splitting attacks.

1) An input validation error in the filtering of HTML code can be
exploited to inject arbitrary JavaScript code in submitted content,
which will be executed in a user's browser session in context of an
affected site when the malicious user data is viewed.

Successful exploitation requires that the user has access to the full
HTML input format.

The vulnerability has been reported in versions 4.5.0 through 4.5.5
and 4.6.0 through 4.6.3. Prior versions may also be affected.

2) An input validation error in the attachment handling can be
exploited to upload a malicious image with embedded HTML and script
content, which will be executed in a user's browser session in
context of an affected site when viewed directly with the Microsoft
Internet Explorer browser.

This is related to:
SA17295

This can also be exploited to inject arbitrary HTTP headers, which
will be included in the response sent to the user.

The vulnerability has been reported in versions 4.5.0 through 4.5.5
and 4.6.0 through 4.6.3. Prior versions may also be affected.

3) The problem is that it is possible to bypass the "access user
profile" permission. However, this cannot be exploited to modify
data.

Successful exploitation requires that the server runs PHP 5.

The vulnerability has been reported in version 4.6.0 through 4.6.3.

SOLUTION:
Update to version 4.5.6 or 4.6.4.
http://drupal.org/project

PROVIDED AND/OR DISCOVERED BY:
1) Ahmed Saad
2) Paul Laudanski
3) Andrew Widdowson

ORIGINAL ADVISORY:
http://drupal.org/files/sa-2005-007/advisory.txt
http://drupal.org/files/sa-2005-008/advisory.txt
http://drupal.org/files/sa-2005-009/advisory.txt

OTHER REFERENCES:
SA17295:
http://secunia.com/advisories/17295/

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------