Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 269753 (CVE-2009-1844) - www-apps/drupal <5.18/6.12 Cross-Site Scripting Vulnerability (CVE-2009-1844)
Summary: www-apps/drupal <5.18/6.12 Cross-Site Scripting Vulnerability (CVE-2009-1844)
Status: VERIFIED FIXED
Alias: CVE-2009-1844
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://drupal.org/node/461886
Whiteboard: ~3 [noglsa]
Keywords:
: 270872 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-05-13 20:37 UTC by Baptiste aka mRyOuNg
Modified: 2009-06-12 21:15 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Baptiste aka mRyOuNg 2009-05-13 20:37:28 UTC
copy/paste from the Drupal SA:
When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.

Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the <meta http-equiv="Content-Type" /> tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This enables attackers to execute cross site scripting attacks with UTF-7. SA-CORE-2009-005 - Drupal core - Cross site scripting contained an incomplete fix for the issue. HTML exports of books are still vulnerable, which means that anyone with edit permissions for pages in outlines is able to insert arbitrary HTML and script code in these exports.

Additionally, the taxonomy module allows users with the 'administer taxonomy' permission to inject arbitrary HTML and script code in the help text of any vocabulary. 

Vulnerability fixed in 5.18/6.12.

Reproducible: Always
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2009-05-22 21:12:31 UTC
*** Bug 270872 has been marked as a duplicate of this bug. ***
Comment 2 Peter Volkov (RETIRED) gentoo-dev 2009-05-24 21:51:50 UTC
Thank you for report mRyOuNg! New versions were just added to the tree.
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-05-24 22:43:11 UTC
Not stable, thus no GLSA. Thanks Peter.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-12 21:15:20 UTC
CVE-2009-1844 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1844):
  Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x
  before 5.18 and 6.x before 6.12 allow (1) remote authenticated users
  to inject arbitrary web script or HTML via crafted UTF-8 byte
  sequences that are treated as UTF-7 by Internet Explorer 6 and 7,
  which are not properly handled in the "HTML exports of books"
  feature; and (2) allow remote authenticated users with administer
  taxonomy permissions to inject arbitrary web script or HTML via the
  help text of an arbitrary vocabulary.  NOTE: vector 1 exists because
  of an incomplete fix for CVE-2009-1575.