• Advisory ID: DRUPAL-SA-2008-007
  • Project: Drupal core
  • Version: 4.7.x, 5.x
  • Date: 2008-January-10
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting when register_globals is enabled.


When theme .tpl.php files are accessible via the web and the PHP setting register_globals is set to enabled, anonymous users are able to execute cross site scripting attacks via specially crafted links.

Drupals .htaccess attempts to set register_globals to disabled and also prevents access to .tpl.php files. Only when both these measures are not effective and your PHP interpreter is configured with register_globals set to enabled, will this issue affect you.

Versions affected

  • Drupal 4.7.x
  • Drupal 5.x


  1. Disable register_globals. Please refer to the PHP documentation on information how to configure PHP.
  2. Ensure .tpl.php files are not accessible via the web.

Drupal 4.7.11 and 5.6 will present a warning on the administration page when register_globals is enabled. Drupal 5.6 will refuse installation on an insecurely configured server. Existing sites will continue to work.

Reported by

Ultra Security Research.


The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.