Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 270872 - www-apps/drupal 5.18 and 6.12 security fix release
Summary: www-apps/drupal 5.18 and 6.12 security fix release
Status: RESOLVED DUPLICATE of bug 269753
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://drupal.org/drupal-6.12
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-05-22 21:07 UTC by Jesse Adelman
Modified: 2011-10-30 22:38 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jesse Adelman 2009-05-22 21:07:42 UTC 
Ref: http://drupal.org/node/461886

"SA-CORE-2009-006 - Drupal core - Cross site scripting

    * Advisory ID: DRUPAL-SA-CORE-2009-006
    * Project: Drupal core
    * Version: 5.x, 6.x
    * Date: 2009-May-13
    * Security risk: Moderately critical
    * Exploitable from: Remote
    * Vulnerability: Cross site scripting
Description

When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.

Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the <meta http-equiv="Content-Type" /> tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This enables attackers to execute cross site scripting attacks with UTF-7. SA-CORE-2009-005 - Drupal core - Cross site scripting contained an incomplete fix for the issue. HTML exports of books are still vulnerable, which means that anyone with edit permissions for pages in outlines is able to insert arbitrary HTML and script code in these exports.

Additionally, the taxonomy module allows users with the 'administer taxonomy' permission to inject arbitrary HTML and script code in the help text of any vocabulary.

Wikipedia has more information about cross site scripting (XSS).
Versions affected

    * Drupal 5.x before version 5.18.
    * Drupal 6.x before version 6.12.

Solution

Install the latest version:

    * If you are running Drupal 6.x then upgrade to Drupal 6.12.
    * If you are running Drupal 5.x then upgrade to Drupal 5.18.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. Theses patches fix the security vulnerability, but does not contain other fixes which were released in Drupal 5.18 or Drupal 6.12.

    * To patch Drupal 6.11 use SA-CORE-2009-006-6.11.patch.
    * To patch Drupal 5.17 use SA-CORE-2009-006-5.17.patch.

Reported by

The UTF-7 XSS issue in book-export-html.tpl.php was reported by Markus Petrux.

The XSS issue in taxonomy module was publicly disclosed.
Fixed by

Both issues were fixed by Heine Deelstra, Peter Wolanin and Derek Wright of the Drupal Security Team.
Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact."

Thanks. Apologies in advance if I've mischaracterized or miscategorized this bug.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2009-05-22 21:12:31 UTC 
Jesse, thanks for the report, we appreciate your effort. But we already have a bug report for that, see bug #269753.

*** This bug has been marked as a duplicate of bug 269753 ***