DRUPAL-SA-2006-011.txt

DRUPAL-SA-2006-011.txt: Posted Aug 17, 2006; Authored by Uwe Hermann | Site drupal.org; Drupal security advisory DRUPAL-SA-2006-011: A malicious user can execute a cross site scripting attack by enticing someone to visit a Drupal site via a specially crafted link. Versions 4.6 and 4.7 are affected.; tags | advisory, xss; SHA-256 | 729acaa041bbcefdff3132971b083758ab50c3e1077bfab8676740ab791d7a63; Download | Favorite | View

DRUPAL-SA-2006-011.txt

----------------------------------------------------------------------------
Drupal security advisory                                  DRUPAL-SA-2006-011
----------------------------------------------------------------------------
Advisory ID:    DRUPAL-SA-2006-011
Project:        Drupal core
Date:           2006-Aug-02
Security risk:  less critical
Impact:         Drupal 4.6, Drupal 4.7
Where:          from remote
Vulnerability:  cross-site scripting
----------------------------------------------------------------------------

Description
-----------

A malicious user can execute a cross site scripting attack by enticing
someone to visit a Drupal site via a specially crafted link. 

Versions affected
-----------------
- Drupal 4.6.x versions before Drupal 4.6.9
- Drupal 4.7.x versions before Drupal 4.7.3

Solution
--------
If you are running Drupal 4.6.x then upgrade to Drupal 4.6.9
(http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.9.tar.gz).
If you are running Drupal 4.7.x then upgrade to Drupal 4.7.3
(http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.3.tar.gz).

To patch Drupal 4.6.8 use http://drupal.org/files/sa-2006-011/4.6.8.patch.
To patch Drupal 4.7.2 use http://drupal.org/files/sa-2006-011/4.7.2.patch.

Reported By
-----------
Ayman Hourieh

Note about Drupal 4.7.3 and custom themes or JavaScript
-------------------------------------------------------

A bug in the form API theme layer made it possible to have an ID occur more
than once in a page. This invalidates the HTML, makes styling with CSS hard
or impossible, and can break JavaScript. A patch was committed to ensure
unique IDs. 
This patch has a side-effect that IDs for hidden form fields in your site's
HTML will change. You might need to adapt your custom CSS or JavaScript, if
it refers to such a changed ID.

Contact
-------
The security contact for Drupal can be reached at security@drupal.org
or using the form at http://drupal.org/contact.
More information is available from http://drupal.org/security or from
our security RSS feed http://drupal.org/security/rss.xml.


// Uwe Hermann, on behalf of the Drupal Security Team.
-- 
Uwe Hermann 
http://www.hermann-uwe.de
http://www.it-services-uh.de  | http://www.crazy-hacks.org 
http://www.holsham-traders.de | http://www.unmaintained-free-software.org

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

DRUPAL-SA-2006-011.txt

DRUPAL-SA-2006-011.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

DRUPAL-SA-2006-011.txt

Share This

DRUPAL-SA-2006-011.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems