[Sysadmin] [Security announcements] XSS vulnerability in submitted content
Drupal Security Team
security at drupal.org
Wed Nov 30 16:21:33 CST 2005
------------XSS VULNERABILITY IN SUBMITTED CONTENT------------
* Advisory ID: DRUPAL-SA-2005-007
* Project: Drupal core
* Date: 2005-11-30
* Security risk: less critical
* Impact: normal
* Where: from remote
* Vulnerability: XSS
------------DESCRIPTION------------
Ahmed Saad has brought to our attention a creative way to enter malicious HTML
content. Upon further investigation we found that interpretation of broken
HTML/SGML and various quirks in interpretation of correctly formed, but
non-sensical attribute values by various browsers also allows entering
malicious HTML content. These can lead to XSS attacks.
------------VERSIONS AFFECTED------------
Drupal 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5
Drupal 4.6.0, 4.6.1, 4.6.2, 4.6.3
------------SOLUTION------------
* If you are running Drupal 4.5.x, then upgrade to Drupal 4.5.6.
* If you are running Drupal 4.6.x, then upgrade to Drupal 4.6.4.
------------IMPORTANT NOTES------------
We have developed a new XSS filtering system based on Ulf Harnhammar's kses
library http://sourceforge.net/projects/kses/. This filtering only happens for
Filtered HTML content so if you are trusting a user to access the Full HTML
input format then said user can enter malicious content, so please revise your
input format settings.
Filtered HTML now filters the style attribute unconditionally.
Filter writers can access this mechanism through the new filter_xss() function.
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or
using the form at http://drupal.org/contact.
More information is available from http://drupal.org/security or from our
security RSS feed http://drupal.org/security/rss.xml.
--
Unsubscribe from this newsletter: http://drupal.org/newsletter/confirm/remove/9c03cd30a33509t44
More information about the Sysadmin
mailing list