Reporter Drupal Security Team
A malicious user may entice users to visit a specially crafted URL that may result in the redirection of Drupal form submission to a third-party site. A user visiting the user registration page via such a url, for example, will submit all data, such as his/her e-mail address, but also possible private profile data, to a third-party site.
- Drupal 4.6.x versions before Drupal 4.6.10
- Drupal 4.7.x versions before Drupal 4.7.4
- If you are running Drupal 4.6.x then upgrade to Drupal 4.6.10.
- If you are running Drupal 4.7.x then upgrade to Drupal 4.7.4.
- To patch Drupal 4.6.9 use http://drupal.org/files/sa-2006-026/4.6.9.patch.
- To patch Drupal 4.7.3 use http://drupal.org/files/sa-2006-026/4.7.3.patch.
Please note that the patches only contain changes related to this advisory, and do not fix bugs that were solved in 4.6.10 or 4.7.4.