DRUPAL-SA-2006-026 - Drupal core - Form action attribute injection

ID DRUPAL-SA-2006-026
Type drupal
Reporter Drupal Security Team
Modified 2006-10-18T00:00:00


A malicious user may entice users to visit a specially crafted URL that may result in the redirection of Drupal form submission to a third-party site. A user visiting the user registration page via such a url, for example, will submit all data, such as his/her e-mail address, but also possible private profile data, to a third-party site.

Versions affected

  • Drupal 4.6.x versions before Drupal 4.6.10
  • Drupal 4.7.x versions before Drupal 4.7.4


  • If you are running Drupal 4.6.x then upgrade to Drupal 4.6.10.
  • If you are running Drupal 4.7.x then upgrade to Drupal 4.7.4.
  • To patch Drupal 4.6.9 use http://drupal.org/files/sa-2006-026/4.6.9.patch.
  • To patch Drupal 4.7.3 use http://drupal.org/files/sa-2006-026/4.7.3.patch.

Please note that the patches only contain changes related to this advisory, and do not fix bugs that were solved in 4.6.10 or 4.7.4.

Reported by

Frederic Marand.