Drupal Multiple Input Validation Vulnerabilities
BID:17104
Info
Drupal Multiple Input Validation Vulnerabilities
| Bugtraq ID: | 17104 |
| Class: | Input Validation Error |
| CVE: |
CVE-2006-1225 CVE-2006-1226 CVE-2006-1227 CVE-2006-1228 |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 14 2006 12:00AM |
| Updated: | Jul 19 2006 10:42PM |
| Credit: | The vendor credits Norrin, kbahey and Markus Petrux with the discovery of these issues. |
| Vulnerable: |
Drupal Drupal 4.6.5 Drupal Drupal 4.6.4 Drupal Drupal 4.6.3 Drupal Drupal 4.6.2 Drupal Drupal 4.6.1 Drupal Drupal 4.6 Drupal Drupal 4.5.7 Drupal Drupal 4.5.6 Drupal Drupal 4.5.5 Drupal Drupal 4.5.4 Drupal Drupal 4.5.3 Drupal Drupal 4.5.2 Drupal Drupal 4.5.2 Drupal Drupal 4.5.1 Drupal Drupal 4.5 Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1 mips Debian Linux 3.1 m68k Debian Linux 3.1 ia-64 Debian Linux 3.1 ia-32 Debian Linux 3.1 hppa Debian Linux 3.1 arm Debian Linux 3.1 amd64 Debian Linux 3.1 alpha Debian Linux 3.1 |
| Not Vulnerable: |
Drupal Drupal 4.6.6 Drupal Drupal 4.5.8 |
Discussion
Drupal Multiple Input Validation Vulnerabilities
Drupal is prone to multiple input-validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.
An attacker may leverage these issues to:
- have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site
- access sensitive information
- hijack user sessions
- use a vulnerable Drupal installation as an email relay.
Drupal is prone to multiple input-validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.
An attacker may leverage these issues to:
- have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site
- access sensitive information
- hijack user sessions
- use a vulnerable Drupal installation as an email relay.
Exploit / POC
Drupal Multiple Input Validation Vulnerabilities
Attackers can exploit this issue via a web client.
Attackers can exploit this issue via a web client.
Solution / Fix
Drupal Multiple Input Validation Vulnerabilities
Solution:
The vendor has released updates to address these issues. Please see the referenced vendor advisories for more information.
The CRLF-injection vulnerabilities have been fixed in Drupal Form_mail 1.8.2.2; BID 18833 contains detailed information regarding these issues.
Drupal Drupal 4.5.3
Solution:
The vendor has released updates to address these issues. Please see the referenced vendor advisories for more information.
The CRLF-injection vulnerabilities have been fixed in Drupal Form_mail 1.8.2.2; BID 18833 contains detailed information regarding these issues.
Drupal Drupal 4.5.3
-
Debian drupal_4.5.3-6_all.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6_a ll.deb
References
Drupal Multiple Input Validation Vulnerabilities
References:
References: