DRUPAL-SA-2006-008.txt

DRUPAL-SA-2006-008.txt: Posted Jun 3, 2006; Authored by Uwe Hermann | Site drupal.org; Drupal security advisory DRUPAL-SA-2006-008: Bart Jansens reported that it is possible for a malicious user to insert and execute XSS into free tagging terms, due to lack of validation on output of the page title. The fix wraps the display of terms in check_plain().; tags | advisory; SHA-256 | b0584638f5b9adbb1149a2a0377ce9f140df6fe298f84e5f8c229862801bc629; Download | Favorite | View

DRUPAL-SA-2006-008.txt


--RYJh/3oyKhIjGcML
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

----------------------------------------------------------------------------
Drupal security advisory                                  DRUPAL-SA-2006-008
----------------------------------------------------------------------------
Advisory ID:    DRUPAL-SA-2006-008
Project:        Drupal core
Date:           2006-06-01
Security risk:  less critical
Impact:         Drupal core
Where:          from remote
Vulnerability:  cross-site scripting
----------------------------------------------------------------------------

Description
-----------
Bart Jansens reported that it is possible for a malicious user to insert
and execute XSS into free tagging terms, due to lack of validation on output
of the page title. The fix wraps the display of terms in check_plain().

Versions affected
-----------------
Drupal 4.7.x versions before Drupal 4.7.2.

Solution
--------
If you are running Drupal 4.6.x then upgrade to Drupal 4.6.8.
If you are running Drupal 4.7.x then upgrade to Drupal 4.7.2.

To patch Drupal 4.6.7 use the http://drupal.org/files/sa-2006-008/4.6.7.pat=
ch.
To patch Drupal 4.7.1 use the http://drupal.org/files/sa-2006-008/4.7.1.pat=
ch.

Contact
-------
The security contact for Drupal can be reached at security@drupal.org
or using the form at http://drupal.org/contact.
More information is available from http://drupal.org/security or from
our security RSS feed http://drupal.org/security/rss.xml.


// Uwe Hermann, on behalf of the Drupal Security Team.
--=20
Uwe Hermann=20
http://www.hermann-uwe.de
http://www.it-services-uh.de  | http://www.crazy-hacks.org=20
http://www.holsham-traders.de | http://www.unmaintained-free-software.org

--RYJh/3oyKhIjGcML
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD4DBQFEgIQsXdVoV3jWIbQRAh3QAJ0UslesDJxRjIkHsW4RZR2hcDMQ6wCYq2jN
lx/k+thwt6iFzm8m2cMYLQ==
=8WEv
-----END PGP SIGNATURE-----

--RYJh/3oyKhIjGcML--

Top Authors In Last 30 Days

Red Hat 205 files
Ubuntu 84 files
Gentoo 31 files
Debian 21 files
tmrswrr 10 files
Sina Kheirkhah 7 files
bRpsd 4 files
Rodolfo Tavares 4 files
nu11secur1ty 3 files
Google Security Research 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,078)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,350)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,266)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,658)
UNIX (9,425)
UnixWare (187)
Windows (6,666)
Other

DRUPAL-SA-2006-008.txt

DRUPAL-SA-2006-008.txt

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

DRUPAL-SA-2006-008.txt

Share This

DRUPAL-SA-2006-008.txt

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems