[OpenPKG-SA-2006.025] OpenPKG Security Advisory (drupal)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [OpenPKG-SA-2006.025] OpenPKG Security Advisory (drupal)
From: OpenPKG <openpkg@xxxxxxxxxxx>
Date: Fri, 20 Oct 2006 08:33:40 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: The OpenPKG Project, http://www.openpkg.org/
Reply-to: openpkg@xxxxxxxxxxx
User-agent: Mutt/1.5.11 OpenPKG/2-STABLE

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                                   OpenPKG GmbH
http://www.openpkg.org/security/                      http://openpkg.com
OpenPKG-SA-2006.025                                           2006-10-20
________________________________________________________________________

Package:          drupal
Vulnerability:    cross-site scripting, privilege escalation
OpenPKG Specific: no

Affected Series:  Affected Packages:         Corrected Packages:
1.0-ENTERPRISE    n.a.                       >= drupal-4.7.4-E1.0.0
2-STABLE-20060622 <= drupal-4.7.3-2.20061018 >= drupal-4.7.4-2.20061019
2-STABLE          <= drupal-4.7.3-2.20061018 >= drupal-4.7.4-2.20061019
CURRENT           <= drupal-4.7.3-20061016   >= drupal-4.7.4-20061019

Description:
  According to vendor security advisories [2][3][4], multiple
  vulnerabilities exist in the Drupal content management platform [1]:

  A bug in input validation and lack of output validation allows HTML
  and script insertion on several pages. And Drupal's XML parser passes
  unescaped data to watchdog under certain circumstances. A malicious
  user may execute an XSS attack via a specially crafted RSS feed.
  Additionally, the aggregator module, profile module, and forum module
  do not properly escape output of certain fields. [2]

  Visiting a specially crafted page, anywhere on the web, may allow that
  page to post forms to a Drupal site in the context of the visitor's
  session. An attacker can exploit this vulnerability by changing
  passwords, posting PHP code or creating new users, for example. The
  attack is only limited by the privileges of the session it executes
  in. [3]

  A malicious user may entice users to visit a specially crafted URL
  that may result in the redirection of Drupal form submission to a
  third-party site. A user visiting the user registration page via such
  an URL, for example, will submit all data, such as the e-mail address,
  but also possible private profile data, to a third-party site [4].
________________________________________________________________________

References:
  [1] http://drupal.org/
  [2] http://drupal.org/node/88826
  [3] http://drupal.org/node/88828
  [4] http://drupal.org/node/88829
________________________________________________________________________

For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@xxxxxxxxxxx>" (ID 63C4CB9F) which
you can retrieve from http://www.openpkg.org/openpkg.pgp. Follow the
instructions on http://www.openpkg.org/security/signatures/ for details
on how to verify the integrity of this advisory.
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@xxxxxxxxxxx>

iD8DBQFFOG1HgHWT4GPEy58RAlCZAKCn9GhVEUZDhYcCXv9kIXS/1GZFNwCg3NAX
iB8bdpsey7szZjBFBNCPajw=
=hNkE
-----END PGP SIGNATURE-----

Prev by Date: Re: Flaw in Firefox 2.0 RC2
Next by Date: Re: Simple Machines Forum (SMF) XSS issue
Previous by thread: PHPLibrary-1.5.3(Description.php) Remote File Include
Next by thread: Open Meetings Filing Application (PROJECT_ROOT) Remote File Include Vulnerability
Index(es):
- Date
- Thread