Gábor Hojtsy - February 27, 2008 - 19:23
- Advisory ID: DRUPAL-SA-2008-018
- Project: Drupal core
- Version: 6.0
- Date: 2008-February-27
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Multiple cross site scripting vulnerabilities
Description
Titles are not escaped prior to being displayed on content edit forms, allowing users to inject arbitrary HTML and script code into these pages.
The Drupal.checkPlain function, used to escape text in ECMAScript, contains a bug which causes it to escape only the first instance of a character, allowing users to inject arbitrary HTML and script code in certain pages.
Wikipedia has more information about cross site scripting (XSS).
Versions affected
- Drupal 6.x before version 6.1.
Solution
Install the latest version:
- Upgrade to Drupal 6.1.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.
- To patch Drupal 6.0 use SA-2008-018-6.0.patch.
Reported by
- Steve McKenzie discovered the ECMAScript issue
- The Drupal security team
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.