Multiple vulnerabilities and weaknesses were discovered in Drupal.
The update system is vulnerable to Cross site request forgeries. Malicious users may cause the superuser (user 1) to execute old updates that may damage the database.
When an input format is deleted, not all existing content on a site is updated to reflect this deletion. Such content is then displayed unfiltered. This may lead to cross site scripting attacks when harmful tags are no longer stripped from βmaliciousβ content that was posted earlier.
Install the latest version:
Note: the robots.txt and .htaccess files have changed and need to be replaced. The settings.php file has not been changed and can be left as it was if upgrading from the current version of Drupal.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. The patches fix security vulnerabilities, but do not contain other fixes which were released in these versions.
Both issues were reported by David Rothstein (David_Rothstein).
drupal.org/contact
drupal.org/files/sa-2008-073/SA-2008-073-5.12.patch
drupal.org/files/sa-2008-073/SA-2008-073-6.6.patch
drupal.org/user/124982
en.wikipedia.org/wiki/Cross-site_scripting
en.wikipedia.org/wiki/Csrf
ftp.drupal.org/files/projects/drupal-5.13.tar.gz
ftp.drupal.org/files/projects/drupal-6.7.tar.gz