Drupal MySite Module Title Field HTML Injection Vulnerability

Bugtraq ID:	21651
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Dec 18 2006 12:00AM
Updated:	Dec 18 2006 10:48PM
Credit:	Mark Baggett is credited with the discovery of this vulnerability.
Vulnerable:	Drupal Mysite 5.x-1.2 Drupal Mysite 4.7.x-3.2
Not Vulnerable:	Drupal Mysite 5.x-1.3 Drupal Mysite 4.7.x-3.3

Drupal MySite Module Title Field HTML Injection Vulnerability

The Drupal MySite module is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input data.

Exploiting this issue may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.

Drupal MySite Module Title Field HTML Injection Vulnerability

Attackers can exploit this issue via a web client.

Drupal MySite Module Title Field HTML Injection Vulnerability

Solution:
The vendor has released versions 4.7.x-33 and 5.x-1.3 to address this issue; please see the reference section for details.


Drupal Mysite 4.7.x-3.2

• Drupal mysite-4.7.x-3.3.tar.gz
  http://drupal.org/files/projects/mysite-4.7.x-3.3.tar.gz

Drupal Mysite 5.x-1.2

• Drupal mysite-5.x-1.3.tar.gz
  http://drupal.org/files/projects/mysite-5.x-1.3.tar.gz

Drupal MySite Module Title Field HTML Injection Vulnerability

References:

• Drupal mysite 4.7.x-3.3 (Drupal)
  
• Drupal mysite 5.x-1.3 (Drupal)
  
• Drupal Mysite Web Site (Drupal)