SA-CORE-2009-005 – Drupal core – Cross site scripting
- Advisory ID: DRUPAL-SA-CORE-2009-005
- Project: Drupal core
- Version: 5.x, 6.x
- Date: 2009-April-29
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.
Wikipedia has more information about cross site scripting (XSS).
In addition, Drupal core also has a very limited information disclosure vulnerability under very specific conditions. If a user is tricked into visiting the site via a specially crafted URL and then submits a form (such as the search box) from that page, the information in their form submission may be directed to a third-party site determined by the URL and thus disclosed to the third party. The third party site may then execute a CSRF attack against the submitted form.
This vulnerability is limited to forms present on the frontpage. The user login form is not vulnerable.
- Drupal 5.x before version 5.17.
- Drupal 6.x before version 6.11.
Install the latest version:
- If you are running Drupal 6.x then upgrade to Drupal 6.11.
- If you are running Drupal 5.x then upgrade to Drupal 5.17.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. Theses patches fix the security vulnerability, but does not contain other fixes which were released in Drupal 5.17 or Drupal 6.11.
- To patch Drupal 6.10 use SA-CORE-2009-005-6.10.patch.
- To patch Drupal 5.16 use SA-CORE-2009-005-5.16.patch.
As an alternate solution if you are unable to upgrade immediately, you can alter your page template following the pattern in the core changes. Open your theme’s main page.tpl.php file as well as any other page templates like page-node.tpl.php or page-front.tpl.php and move the line that is printing $head (<?php print $head ?>) above line with the <title> tag, so that it is the first item after the <head>.
The UTF-7 XSS issue was reported by pod.Edge.
The information disclosure vulnerability was reported by Moritz Naumann.
The Drupal security team
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.