- Advisory ID: DRUPAL-SA-2006-011
- Project: Drupal core
- Date: 2006-Aug-2
- Security risk: less critical
- Impact: Drupal core
- Exploitable from: remote
- Vulnerability: cross-site scripting
Description
A malicious user can execute a cross site scripting attack by enticing someone to visit a Drupal site via a specially crafted link.
Versions affected
- Drupal 4.6.x versions before Drupal 4.6.9
- Drupal 4.7.x versions before Drupal 4.7.3
Solution
- If you are running Drupal 4.6.x then upgrade to Drupal 4.6.9.
- If you are running Drupal 4.7.x then upgrade to Drupal 4.7.3.
- To patch Drupal 4.6.8 use http://drupal.org/files/sa-2006-011/4.6.8.patch.
- To patch Drupal 4.7.2 use http://drupal.org/files/sa-2006-011/4.7.2.patch.
Reported by
Ayman Hourieh
Note about Drupal 4.7.3 and custom themes or JavaScript
A bug in the form API theme layer made it possible to have an ID occur more than once in a page. This invalidates the HTML, makes styling with CSS hard or impossible, and can break JavaScript. A patch was committed to ensure unique IDs. This patch has a side-effect that IDs for hidden form fields in your site's HTML will change. You might need to adapt your custom CSS or JavaScript, if it refers to such a changed ID.
Contact
The security contact for Drupal can be reached at security at drupal.org or using the form at http://drupal.org/contact.