DRUPAL-SA-2006-011.txt

DRUPAL-SA-2006-011.txt: Posted Aug 17, 2006; Authored by Uwe Hermann | Site drupal.org; Drupal security advisory DRUPAL-SA-2006-011: A malicious user can execute a cross site scripting attack by enticing someone to visit a Drupal site via a specially crafted link. Versions 4.6 and 4.7 are affected.; tags | advisory, xss; SHA-256 | 729acaa041bbcefdff3132971b083758ab50c3e1077bfab8676740ab791d7a63; Download | Favorite | View

DRUPAL-SA-2006-011.txt

----------------------------------------------------------------------------
Drupal security advisory                                  DRUPAL-SA-2006-011
----------------------------------------------------------------------------
Advisory ID:    DRUPAL-SA-2006-011
Project:        Drupal core
Date:           2006-Aug-02
Security risk:  less critical
Impact:         Drupal 4.6, Drupal 4.7
Where:          from remote
Vulnerability:  cross-site scripting
----------------------------------------------------------------------------

Description
-----------

A malicious user can execute a cross site scripting attack by enticing
someone to visit a Drupal site via a specially crafted link. 

Versions affected
-----------------
- Drupal 4.6.x versions before Drupal 4.6.9
- Drupal 4.7.x versions before Drupal 4.7.3

Solution
--------
If you are running Drupal 4.6.x then upgrade to Drupal 4.6.9
(https://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.9.tar.gz).
If you are running Drupal 4.7.x then upgrade to Drupal 4.7.3
(https://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.3.tar.gz).

To patch Drupal 4.6.8 use https://drupal.org/files/sa-2006-011/4.6.8.patch.
To patch Drupal 4.7.2 use https://drupal.org/files/sa-2006-011/4.7.2.patch.

Reported By
-----------
Ayman Hourieh

Note about Drupal 4.7.3 and custom themes or JavaScript
-------------------------------------------------------

A bug in the form API theme layer made it possible to have an ID occur more
than once in a page. This invalidates the HTML, makes styling with CSS hard
or impossible, and can break JavaScript. A patch was committed to ensure
unique IDs. 
This patch has a side-effect that IDs for hidden form fields in your site's
HTML will change. You might need to adapt your custom CSS or JavaScript, if
it refers to such a changed ID.

Contact
-------
The security contact for Drupal can be reached at security@drupal.org
or using the form at https://drupal.org/contact.
More information is available from https://drupal.org/security or from
our security RSS feed https://drupal.org/security/rss.xml.


// Uwe Hermann, on behalf of the Drupal Security Team.
-- 
Uwe Hermann 
https://www.hermann-uwe.de
https://www.it-services-uh.de  | https://www.crazy-hacks.org 
https://www.holsham-traders.de | https://www.unmaintained-free-software.org

Top Authors In Last 30 Days

Red Hat 239 files
Ubuntu 62 files
Debian 23 files
LiquidWorm 20 files
Apple 9 files
indoushka 5 files
Gentoo 5 files
Google Security Research 4 files
Chokri Hammedi 3 files
Alter Prime 3 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,163)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,862)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,265)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,976)
UNIX (9,474)
UnixWare (188)
Windows (6,784)
Other

DRUPAL-SA-2006-011.txt

DRUPAL-SA-2006-011.txt

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

DRUPAL-SA-2006-011.txt

Share This

DRUPAL-SA-2006-011.txt

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems