- Advisory ID: DRUPAL-SA-2008-006
- Project: Drupal core
- Version: 4.7.x, 5.x
- Date: 2008-January-10
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
When outputting plaintext Drupal strips potentially dangerous HTML tags and attributes from HTML, and escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.
Wikipedia has more information about cross site scripting (XSS).
- Drupal 4.7.x before version 4.7.11.
- Drupal 5.x before version 5.6.
Install the latest version:
- If you are running Drupal 4.7.x then upgrade to Drupal 4.7.11.
- If you are running Drupal 5.x then upgrade to Drupal 5.6.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.
Drupal 4.7.11 and 5.6 now require PHP 4.3.5 or higher as the minimum version.
Use of modules that purposely insert bytes that are invalid UTF-8 characters, such as GeSHi Filter and Code Filter will cause any text using the filter to not be displayed. Disable the modules until a solution has been found.
The vulnerability was discovered during an audit of Drupal core by Stefan Esser, Mayflower GmbH and Zend.
The Drupal security team wants to thank Die Zeit, who commissioned the audit, for sharing the results.
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.