Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:14756
HistoryOct 21, 2006 - 12:00 a.m.

[DRUPAL-SA-2006-026] Drupal 4.6.10 / 4.7.4 fixes HTML attribute injection issue

2006-10-2100:00:00
vulners.com
51


Drupal security advisory DRUPAL-SA-2006-026


Project: Drupal core
Date: 2006-Oct-18
Security risk: Less critical
Exploitable from: Remote
Vulnerability: HTML attribute injection


Description

A malicious user may entice users to visit a specially crafted URL that may
result in the redirection of Drupal form submission to a third-party site. A
user visiting the user registration page via such a url, for example, will
submit all data, such as his/her e-mail address, but also possible private
profile data, to a third-party site.

Versions affected

  • Drupal 4.6.x versions before Drupal 4.6.10
  • Drupal 4.7.x versions before Drupal 4.7.4

Solution

Please note that the patches only contain changes related to this advisory,
and do not fix bugs that were solved in 4.6.10 or 4.7.4.

Reported by

Frederic Marand.

Contact

The security contact for Drupal can be reached at security at drupal.org or
using the form at http://drupal.org/contact.

// Uwe Hermann, on behalf of the Drupal Security Team.

Uwe Hermann
http://www.hermann-uwe.de
http://www.it-services-uh.de | http://www.crazy-hacks.org
http://www.holsham-traders.de | http://www.unmaintained-free-software.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFN7D2XdVoV3jWIbQRAn30AJ4wDXVgTcsZ6AVZU0iz8oFYqTx8dACeNXFj
D4MxzZKaxPKknex3KMezI6Y=
=eFVr
-----END PGP SIGNATURE-----