Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 268036 - www-apps/drupal <5.17/6.11 Cross-Site Scripting Vulnerability (CVE-2009-{1575,1576})
Summary: www-apps/drupal <5.17/6.11 Cross-Site Scripting Vulnerability (CVE-2009-{1575...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://drupal.org/node/449078
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-04-30 20:03 UTC by Baptiste aka mRyOuNg
Modified: 2009-05-18 17:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Baptiste aka mRyOuNg 2009-04-30 20:03:20 UTC
copy/paste of the drupal SA:
When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.

Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the <meta http-equiv="Content-Type" /> tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This behaviour enables malicious users to insert and execute Javascript in the context of the website if site visitors are allowed to post content. 

Vulnerability fixed in 5.17/6.11.

Reproducible: Always
Comment 1 Peter Volkov (RETIRED) gentoo-dev 2009-05-01 17:54:05 UTC
Thank you for report, mRyOuNg. drupal 6.11 and 5.17 were added to the tree.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-01 18:55:53 UTC
Peter, please consider removing the vulnerable versions in the near future.

~arch -> noglsa. Thanks everyone.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-05-18 17:54:31 UTC
CVE-2009-1575 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1575):
  Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.17
  and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows remote
  attackers to inject arbitrary web script or HTML via crafted UTF-8
  byte sequences before the Content-Type meta tag, which are treated as
  UTF-7 by Internet Explorer 6 and 7.

CVE-2009-1576 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1576):
  Unspecified vulnerability in Drupal 5.x before 5.17 and 6.x before
  6.11, as used in vbDrupal before 5.17.0, allows user-assisted remote
  attackers to obtain sensitive information by tricking victims into
  visiting the front page of the site with a crafted URL and causing
  form data to be sent to an attacker-controlled site, possibly related
  to multiple / (slash) characters that are not properly handled by
  includes/bootstrap.inc, as demonstrated using the search box.  NOTE:
  this vulnerability can be leveraged to conduct cross-site request
  forgery (CSRF) attacks.