exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

DRUPAL-SA-2006-008.txt

DRUPAL-SA-2006-008.txt
Posted Jun 3, 2006
Authored by Uwe Hermann | Site drupal.org

Drupal security advisory DRUPAL-SA-2006-008: Bart Jansens reported that it is possible for a malicious user to insert and execute XSS into free tagging terms, due to lack of validation on output of the page title. The fix wraps the display of terms in check_plain().

tags | advisory
SHA-256 | b0584638f5b9adbb1149a2a0377ce9f140df6fe298f84e5f8c229862801bc629

DRUPAL-SA-2006-008.txt

Change Mirror Download

--RYJh/3oyKhIjGcML
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

----------------------------------------------------------------------------
Drupal security advisory DRUPAL-SA-2006-008
----------------------------------------------------------------------------
Advisory ID: DRUPAL-SA-2006-008
Project: Drupal core
Date: 2006-06-01
Security risk: less critical
Impact: Drupal core
Where: from remote
Vulnerability: cross-site scripting
----------------------------------------------------------------------------

Description
-----------
Bart Jansens reported that it is possible for a malicious user to insert
and execute XSS into free tagging terms, due to lack of validation on output
of the page title. The fix wraps the display of terms in check_plain().

Versions affected
-----------------
Drupal 4.7.x versions before Drupal 4.7.2.

Solution
--------
If you are running Drupal 4.6.x then upgrade to Drupal 4.6.8.
If you are running Drupal 4.7.x then upgrade to Drupal 4.7.2.

To patch Drupal 4.6.7 use the http://drupal.org/files/sa-2006-008/4.6.7.pat=
ch.
To patch Drupal 4.7.1 use the http://drupal.org/files/sa-2006-008/4.7.1.pat=
ch.

Contact
-------
The security contact for Drupal can be reached at security@drupal.org
or using the form at http://drupal.org/contact.
More information is available from http://drupal.org/security or from
our security RSS feed http://drupal.org/security/rss.xml.


// Uwe Hermann, on behalf of the Drupal Security Team.
--=20
Uwe Hermann=20
http://www.hermann-uwe.de
http://www.it-services-uh.de | http://www.crazy-hacks.org=20
http://www.holsham-traders.de | http://www.unmaintained-free-software.org

--RYJh/3oyKhIjGcML
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD4DBQFEgIQsXdVoV3jWIbQRAh3QAJ0UslesDJxRjIkHsW4RZR2hcDMQ6wCYq2jN
lx/k+thwt6iFzm8m2cMYLQ==
=8WEv
-----END PGP SIGNATURE-----

--RYJh/3oyKhIjGcML--

Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    11 Files
  • 8
    Dec 8th
    36 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close