SA-2008-018 - Drupal core - Cross site scripting

2008-02-27T00:00:00
ID DRUPAL-SA-2008-018
Type drupal
Reporter Drupal Security Team
Modified 2008-02-27T00:00:00

Description

Titles are not escaped prior to being displayed on content edit forms, allowing users to inject arbitrary HTML and script code into these pages.

The Drupal.checkPlain function, used to escape text in ECMAScript, contains a bug which causes it to escape only the first instance of a character, allowing users to inject arbitrary HTML and script code in certain pages.

Wikipedia has more information about cross site scripting (XSS).

Versions affected

  • Drupal 6.x before version 6.1.

Solution

Install the latest version:

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by

  • Steve McKenzie discovered the ECMAScript issue
  • The Drupal security team