Drupal Database Administration Module Multiple HTML-injection Vulnerabilities
BID:23440
Info
Drupal Database Administration Module Multiple HTML-injection Vulnerabilities
| Bugtraq ID: | 23440 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 12 2007 12:00AM |
| Updated: | Apr 12 2007 08:11PM |
| Credit: | Derek Wright and Heine Deelstra from the Drupal Security Team are credited with the discovery of these vulnerabilities. |
| Vulnerable: |
Drupal Database Administration 4.7.0-1 Drupal Database Administration 4.6.0-1 |
| Not Vulnerable: |
Drupal Database Administration 4.7.0-1.2 |
Discussion
Drupal Database Administration Module Multiple HTML-injection Vulnerabilities
Drupal Database Administration Module is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before displaying it in dynamically generated content.
To exploit this issue, an attacker must have Site Administrator privileges.
An attacker could exploit this vulnerability to execute arbitrary script code in the browser of an unsuspecting victim in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Drupal Database Administration versions prior to 4.7.0-1.2 and all versions of the 4.6.0 branch are vulnerable to these issues.
Drupal Database Administration Module is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before displaying it in dynamically generated content.
To exploit this issue, an attacker must have Site Administrator privileges.
An attacker could exploit this vulnerability to execute arbitrary script code in the browser of an unsuspecting victim in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Drupal Database Administration versions prior to 4.7.0-1.2 and all versions of the 4.6.0 branch are vulnerable to these issues.
Exploit / POC
Drupal Database Administration Module Multiple HTML-injection Vulnerabilities
Attackers can use a browser to exploit this issue.
Attackers can use a browser to exploit this issue.
Solution / Fix
Drupal Database Administration Module Multiple HTML-injection Vulnerabilities
Solution:
The vendor has released version 4.7.x-1.2 to address this issue. Please see the references for more information.
Solution:
The vendor has released version 4.7.x-1.2 to address this issue. Please see the references for more information.
References
Drupal Database Administration Module Multiple HTML-injection Vulnerabilities
References:
References: