Multiple vulnerabilities and weaknesses were discovered in Drupal.
A user-supplied value is directly output during installation allowing a malicious user to craft a URL and perform a cross-site scripting attack. The exploit can only be conducted on sites not yet installed.
This issue affects Drupal 6.x only.
The API function drupal_goto() is susceptible to a phishing attack. An attacker could formulate a redirect in a way that gets the Drupal site to send the user to an arbitrarily provided URL. No user submitted data will be sent to that URL.
This issue affects Drupal 5.x and 6.x.
Locale module and dependent contributed modules do not sanitize the display of language codes, native and English language names properly. While these usually come from a preselected list, arbitrary administrator input is allowed. This vulnerability is mitigated by the fact that the attacker must have a role with the βadminister languagesβ permission.
This issue affects Drupal 5.x and 6.x.
Under certain circumstances, a user with an open session that is blocked can maintain his/her session on the Drupal site, despite being blocked.
This issue affects Drupal 5.x and 6.x.
Install the latest version:
Drupal 5 will no longer be maintained when Drupal 7 is released. Upgrading to Drupal 6 is recommended.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. These patches fix the security vulnerabilities, but do not contain other fixes which were released in Drupal 6.16 or Drupal 5.22.
The installation cross site scripting issue was reported by David Rothstein (*).
The open redirection was reported by Martin Barbella.
The locale module cross site scripting was reported by Justin Klein Keane.
The blocked user session regeneration issue was reported by Craig A. Hancock.
(*) Member of the Drupal security team.
The installation cross site scripting issue was fixed by Heine Deelstra.
The open redirection was fixed by Gerhard Killesreiter and Heine Deelstra.
The locale module cross site scripting was fixed by StΓ©phane Corlosquet, Peter Wolanin, Heine Deelstra and Neil Drumm.
The blocked user session regeneration issue was fixed by Gerhard Killesreiter.
All the fixes were done by members of the Drupal security team.
drupal.org/contact
drupal.org/files/sa-core-2010-001/SA-CORE-2010-001-5.21.patch
drupal.org/files/sa-core-2010-001/SA-CORE-2010-001-6.15.patch
drupal.org/node/725382
drupal.org/upgrade
drupal.org/user/124982
drupal.org/user/17943
drupal.org/user/227
drupal.org/user/302225
drupal.org/user/3064
drupal.org/user/49851
drupal.org/user/52142
drupal.org/user/62850
drupal.org/user/633600
ftp.drupal.org/files/projects/drupal-5.22.tar.gz
ftp.drupal.org/files/projects/drupal-6.16.tar.gz