Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11803
HistoryMar 14, 2006 - 12:00 a.m.

[DRUPAL-SA-2006-004] Drupal 4.6.6 / 4.5.8 fixes mail header injection issue

2006-03-1400:00:00
vulners.com
4

Drupal security advisory DRUPAL-SA-2006-004

Advisory ID: DRUPAL-SA-2006-004
Project: Drupal core
Date: 2006-03-13
Security risk: moderately critical
Impact: security bypass
Where: from remote
Vulnerability: mail header injection attack

Description

Linefeeds and carriage returns were not being stripped from email headers,
raising the possibility of bogus headers being inserted into outgoing email.
This could lead to Drupal sites being used to send unwanted email.

Versions affected

All Drupal versions before 4.6.6.

Solution

If you are running Drupal 4.5.x then upgrade to Drupal 4.5.8.
If you are running Drupal 4.6.x then upgrade to Drupal 4.6.6.

Reported by

Norrin, kbahey

Contact

The security contact for Drupal can be reached at [email protected]
or using the form at http://drupal.org/contact.
More information is available from http://drupal.org/security or from
our security RSS feed http://drupal.org/security/rss.xml.

// Uwe Hermann, on behalf of the Drupal Security Team.

Uwe Hermann
http://www.hermann-uwe.de
http://www.it-services-uh.de | http://www.crazy-hacks.org
http://www.holsham-traders.de | http://www.unmaintained-free-software.org