Drupal 4.6.10 / 4.7.4 fixes HTML attribute injection issue

2006.10.25

Credit: Uwe Hermann (uwe hermann-uwe de)

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2006-5477

CWE: CWE-Other

CVSS Base Score: 2.6/10

Impact Subscore: 2.9/10

Exploitability Subscore: 4.9/10

Exploit range: Remote

Attack complexity: High

Authentication: No required

Confidentiality impact: Partial

Integrity impact: None

Availability impact: None

------------------------------------------------------------------------
----
Drupal security advisory                                  DRUPAL-SA-2006-026
------------------------------------------------------------------------
----
Project:          Drupal core
Date:             2006-Oct-18
Security risk:    Less critical
Exploitable from: Remote
Vulnerability:    HTML attribute injection
------------------------------------------------------------------------
----

Description
-----------
A malicious user may entice users to visit a specially crafted URL that may 
result in the redirection of Drupal form submission to a third-party site. A 
user visiting the user registration page via such a url, for example, will 
submit all data, such as his/her e-mail address, but also possible private 
profile data, to a third-party site.

Versions affected
-----------------
- Drupal 4.6.x versions before Drupal 4.6.10
- Drupal 4.7.x versions before Drupal 4.7.4

Solution
- If you are running Drupal 4.6.x then upgrade to Drupal 4.6.10.
   http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz
- If you are running Drupal 4.7.x then upgrade to Drupal 4.7.4.
   http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz

- To patch Drupal 4.6.9 use http://drupal.org/files/sa-2006-026/4.6.9.patch.
- To patch Drupal 4.7.3 use http://drupal.org/files/sa-2006-026/4.7.3.patch.

Please note that the patches only contain changes related to this advisory, 
and do not fix bugs that were solved in 4.6.10 or 4.7.4.

Reported by
-----------
Frederic Marand.

Contact
-------
The security contact for Drupal can be reached at security at drupal.org or 
using the form at http://drupal.org/contact.

// Uwe Hermann, on behalf of the Drupal Security Team.
-- 
Uwe Hermann 
http://www.hermann-uwe.de
http://www.it-services-uh.de  | http://www.crazy-hacks.org 
http://www.holsham-traders.de | http://www.unmaintained-free-software.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFN7D2XdVoV3jWIbQRAn30AJ4wDXVgTcsZ6AVZU0iz8oFYqTx8dACeNXFj
D4MxzZKaxPKknex3KMezI6Y=
=eFVr
-----END PGP SIGNATURE-----

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Drupal 4.6.10 / 4.7.4 fixes HTML attribute injection issue

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.