drupal -- cross site scripting (register_globals)

2008-01-10T00:00:00
ID F0FA19DD-C060-11DC-982E-001372FD0AF2
Type freebsd
Reporter FreeBSD
Modified 2010-05-12T00:00:00

Description

The Drupal Project reports:

When theme .tpl.php files are accessible via the web and the PHP setting register_globals is set to enabled, anonymous users are able to execute cross site scripting attacks via specially crafted links. Drupal's .htaccess attempts to set register_globals to disabled and also prevents access to .tpl.php files. Only when both these measures are not effective and your PHP interpreter is configured with register_globals set to enabled, will this issue affect you.