Drupal Form Action Attribute Injection

2006-10-18T03:49:07
ID OSVDB:29927
Type osvdb
Reporter Frederic Marand()
Modified 2006-10-18T03:49:07

Description

Vulnerability Description

Drupal contains a flaw that may allow a malicious user to redirect submitted form data from a Drupal site to a third-party site. This can be exploited by convincing the victim to visit a specially crafted URL, resulting in the possible disclosure of private information.

Solution Description

Upgrade to version 4.6.10 or 4.7.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Drupal contains a flaw that may allow a malicious user to redirect submitted form data from a Drupal site to a third-party site. This can be exploited by convincing the victim to visit a specially crafted URL, resulting in the possible disclosure of private information.

References:

Vendor URL: drupal.org Vendor Specific Advisory URL Secunia Advisory ID:22486 Related OSVDB ID: 29922 Related OSVDB ID: 29926 Other Advisory URL: http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.025-drupal.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-10/0399.html Keyword: DRUPAL-SA-2006-026 ISS X-Force ID: 29682 FrSIRT Advisory: ADV-2006-4120 CVE-2006-5477 Bugtraq ID: 20631