• Advisory ID: DRUPAL-SA-2008-067
  • Project: Drupal core
  • Versions: 5.x and 6.x
  • Date: 2008-October-22
  • Security risk: Less Critical
  • Exploitable from: Local/Remote
  • Vulnerability: Multiple vulnerabilities


Multiple vulnerabilities and weaknesses were discovered in Drupal.

File inclusion

On a server configured for IP-based virtual hosts, Drupal may be caused to include and execute specifically named files outside of its root directory.

This bug affects both Drupal 5 and Drupal 6.

Cross site scripting

The title of book pages is not always properly escaped, enabling users with the "create book content" permission or the permission to edit any node in the book hierarchy to insert arbitrary HTML and script code into pages. Such a Cross site scripting attack may lead to the attacker gaining administrator access.

This bug affects Drupal 6.

Versions Affected

  • Drupal 5.x before version 5.12
  • Drupal 6.x before version 6.6


Install the latest version:

  • If you are running Drupal 5.x then upgrade to Drupal 5.12.
  • If you are running Drupal 6.x then upgrade to Drupal 6.6.

Note: the settings.php, robots.txt and .htaccess files have not changed and can be left as they are if upgrading from the current version of Drupal.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.

Reported by

  • The file inclusion vulnerability was reported by Anthony Ferrara
  • The cross site scripting issue was reported by Maarten van Grootel


The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.