Multiple XSS (cross site scripting) vulnerabilities have been discovered.
A bug in input validation and lack of output validation allows HTML and script
insertion on several pages.
Drupal's XML parser passes unescaped data to watchdog under certain
circumstances. A malicious user may execute an XSS attack via a specially
crafted RSS feed. This vulnerability exists on systems that do not use PHP's
mb_string extension (to check if mb_string is being used, navigate to
admin/settings and look under "String handling"). Disabling the aggregator
module provides an immediate workaround.
The aggregator module, profile module, and forum module do not properly escape
output of certain fields.
Note: XSS attacks may lead to administrator access if certain conditions are
met.
Versions affected
Drupal 4.6.x versions before Drupal 4.6.10
Drupal 4.7.x versions before Drupal 4.7.4
Solution
If you are running Drupal 4.6.x then upgrade to Drupal 4.6.10.
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz
If you are running Drupal 4.7.x then upgrade to Drupal 4.7.4.
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz
To patch Drupal 4.6.9 use http://drupal.org/files/sa-2006-024/4.6.9.patch.
To patch Drupal 4.7.3 use http://drupal.org/files/sa-2006-024/4.7.3.patch.
Please note that the patches only contain changes related to this advisory, and
do not fix bugs that were solved in 4.6.10 or 4.7.4.
Reported by
The XML parser vulnerability was reported by Erdem Köse.
The forum module vulnerability was reported by Jim Phlew.
The other vulnerabilities were found by members of the Drupal security team.
Contact
The security contact for Drupal can be reached at security at drupal.org or
using the form at http://drupal.org/contact.
// Uwe Hermann, on behalf of the Drupal Security Team.
{"id": "SECURITYVULNS:DOC:14754", "bulletinFamily": "software", "title": "[DRUPAL-SA-2006-024] Drupal 4.6.10 / 4.7.4 fixes multiple XSS issues ", "description": "------------------------------------------------------------------------\r\n----\r\nDrupal security advisory DRUPAL-SA-2006-024\r\n------------------------------------------------------------------------\r\n----\r\nProject: Drupal core\r\nDate: 2006-Oct-18\r\nSecurity risk: Moderately critical\r\nExploitable from: Remote\r\nVulnerability: Cross site scripting\r\n------------------------------------------------------------------------\r\n----\r\n\r\nDescription\r\n-----------\r\nMultiple XSS (cross site scripting) vulnerabilities have been discovered.\r\n\r\nA bug in input validation and lack of output validation allows HTML and script \r\ninsertion on several pages.\r\n\r\nDrupal's XML parser passes unescaped data to watchdog under certain \r\ncircumstances. A malicious user may execute an XSS attack via a specially \r\ncrafted RSS feed. This vulnerability exists on systems that do not use PHP's \r\nmb_string extension (to check if mb_string is being used, navigate to \r\nadmin/settings and look under "String handling"). Disabling the aggregator \r\nmodule provides an immediate workaround.\r\n\r\nThe aggregator module, profile module, and forum module do not properly escape \r\noutput of certain fields.\r\n\r\nNote: XSS attacks may lead to administrator access if certain conditions are \r\nmet.\r\n\r\n\r\nVersions affected\r\n-----------------\r\n- Drupal 4.6.x versions before Drupal 4.6.10\r\n- Drupal 4.7.x versions before Drupal 4.7.4\r\n\r\nSolution\r\n--------\r\n- If you are running Drupal 4.6.x then upgrade to Drupal 4.6.10.\r\nhttp://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz\r\n- If you are running Drupal 4.7.x then upgrade to Drupal 4.7.4.\r\nhttp://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz\r\n\r\n- To patch Drupal 4.6.9 use http://drupal.org/files/sa-2006-024/4.6.9.patch.\r\n- To patch Drupal 4.7.3 use http://drupal.org/files/sa-2006-024/4.7.3.patch.\r\n\r\nPlease note that the patches only contain changes related to this advisory, and \r\ndo not fix bugs that were solved in 4.6.10 or 4.7.4.\r\n\r\nReported by\r\n-----------\r\n- The XML parser vulnerability was reported by Erdem Köse.\r\n- The forum module vulnerability was reported by Jim Phlew.\r\n- The other vulnerabilities were found by members of the Drupal security team.\r\n\r\nContact\r\n-------\r\nThe security contact for Drupal can be reached at security at drupal.org or \r\nusing the form at http://drupal.org/contact.\r\n\r\n// Uwe Hermann, on behalf of the Drupal Security Team.\r\n-- \r\nUwe Hermann \r\nhttp://www.hermann-uwe.de\r\nhttp://www.it-services-uh.de | http://www.crazy-hacks.org \r\nhttp://www.holsham-traders.de | http://www.unmaintained-free-software.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.5 (GNU/Linux)\r\n\r\niD8DBQFFN7DxXdVoV3jWIbQRAm5IAJ0UmC80/DpS0I2WM8q9nPmxZdjtHQCeMiVP\r\njFhf+0xpVQz/7pXwh71hOAo=\r\n=5y6Z\r\n-----END PGP SIGNATURE-----\r\n", "published": "2006-10-21T00:00:00", "modified": "2006-10-21T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:14754", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:19", "edition": 1, "viewCount": 26, "enchantments": {"score": {"value": -0.0, "vector": "NONE", "modified": "2018-08-31T11:10:19", "rev": 2}, "dependencies": {"references": [{"type": "mskb", "idList": ["KB953331", "KB2874216", "KB980408", "KB981401", "KB2425179", "KB2510690", "KB317244", "KB2501721", "KB2785908", "KB2526297"]}], "modified": "2018-08-31T11:10:19", "rev": 2}, "vulnersScore": -0.0}, "affectedSoftware": [], "immutableFields": []}
{"rst": [{"lastseen": "2021-04-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **181[.]115.59.3** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **5**.\n First seen: 2020-08-26T03:00:00, Last seen: 2021-04-17T03:00:00.\n IOC tags: **scan**.\nASN 14754: (First IP 181.115.0.0, Last IP 181.115.127.255).\nASN Name \"\" and Organisation \"Telgua\".\nASN hosts 1063 domains.\nGEO IP information: City \"Tegucigalpa\", Country \"Honduras\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-08-26T00:00:00", "id": "RST:FD777181-4F5D-30F9-87F6-5CA51153C84C", "href": "", "published": "2021-04-18T00:00:00", "title": "RST Threat feed. IOC: 181.115.59.3", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **200[.]6.247.190** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **45**.\n First seen: 2021-04-13T03:00:00, Last seen: 2021-04-17T03:00:00.\n IOC tags: **shellprobe**.\nASN 14754: (First IP 200.6.192.0, Last IP 200.6.255.255).\nASN Name \"\" and Organisation \"Telgua\".\nASN hosts 1063 domains.\nGEO IP information: City \"Guatemala City\", Country \"Guatemala\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-04-13T00:00:00", "id": "RST:259531E4-B40B-305F-BA28-5AE786B6233B", "href": "", "published": "2021-04-18T00:00:00", "title": "RST Threat feed. IOC: 200.6.247.190", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **200[.]62.99.4** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **3**.\n First seen: 2020-04-18T03:00:00, Last seen: 2021-04-17T03:00:00.\n IOC tags: **generic**.\nASN 14754: (First IP 200.62.86.0, Last IP 200.62.101.255).\nASN Name \"\" and Organisation \"Telgua\".\nASN hosts 1063 domains.\nGEO IP information: City \"Managua\", Country \"Nicaragua\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-04-18T00:00:00", "id": "RST:D5B14300-377D-31E4-A179-C55499B06EF7", "href": "", "published": "2021-04-18T00:00:00", "title": "RST Threat feed. IOC: 200.62.99.4", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **190[.]56.229.41** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **6**.\n First seen: 2020-08-16T03:00:00, Last seen: 2021-04-17T03:00:00.\n IOC tags: **shellprobe, generic**.\nASN 14754: (First IP 190.56.0.0, Last IP 190.56.255.255).\nASN Name \"\" and Organisation \"Telgua\".\nASN hosts 1063 domains.\nGEO IP information: City \"Guatemala City\", Country \"Guatemala\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-08-16T00:00:00", "id": "RST:F92073BA-1367-37DD-AF63-B2F58CE4F7D7", "href": "", "published": "2021-04-18T00:00:00", "title": "RST Threat feed. IOC: 190.56.229.41", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **201[.]247.64.34** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **34**.\n First seen: 2021-04-02T03:00:00, Last seen: 2021-04-17T03:00:00.\n IOC tags: **generic**.\nASN 14754: (First IP 201.247.0.0, Last IP 201.247.255.255).\nASN Name \"\" and Organisation \"Telgua\".\nASN hosts 1063 domains.\nGEO IP information: City \"San Salvador\", Country \"El Salvador\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-04-02T00:00:00", "id": "RST:3BA171C4-D412-316C-8A3A-4CDDAE0A501B", "href": "", "published": "2021-04-18T00:00:00", "title": "RST Threat feed. IOC: 201.247.64.34", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **181[.]209.195.45** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **22**.\n First seen: 2021-03-02T03:00:00, Last seen: 2021-04-17T03:00:00.\n IOC tags: **generic**.\nASN 14754: (First IP 181.209.128.0, Last IP 181.209.243.255).\nASN Name \"\" and Organisation \"Telgua\".\nASN hosts 1063 domains.\nGEO IP information: City \"Guatemala City\", Country \"Guatemala\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-03-02T00:00:00", "id": "RST:EFEB110C-4116-3EF7-85C9-BDF4E27F35FE", "href": "", "published": "2021-04-18T00:00:00", "title": "RST Threat feed. IOC: 181.209.195.45", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **181[.]209.219.178** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **36**.\n First seen: 2021-04-05T03:00:00, Last seen: 2021-04-17T03:00:00.\n IOC tags: **generic**.\nASN 14754: (First IP 181.209.128.0, Last IP 181.209.243.255).\nASN Name \"\" and Organisation \"Telgua\".\nASN hosts 1063 domains.\nGEO IP information: City \"Guatemala City\", Country \"Guatemala\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-04-05T00:00:00", "id": "RST:2FB56C48-683A-3955-87D4-62EEBC86E3F9", "href": "", "published": "2021-04-18T00:00:00", "title": "RST Threat feed. IOC: 181.209.219.178", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **186[.]77.138.4** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **44**.\n First seen: 2021-04-12T03:00:00, Last seen: 2021-04-17T03:00:00.\n IOC tags: **shellprobe**.\nASN 14754: (First IP 186.77.64.0, Last IP 186.77.149.255).\nASN Name \"\" and Organisation \"Telgua\".\nASN hosts 1063 domains.\nGEO IP information: City \"Managua\", Country \"Nicaragua\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-04-12T00:00:00", "id": "RST:A04FDE28-12CC-3865-BCF5-F3314C9389C5", "href": "", "published": "2021-04-18T00:00:00", "title": "RST Threat feed. IOC: 186.77.138.4", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-11T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **186[.]151.182.58** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **1**.\n First seen: 2019-09-29T03:00:00, Last seen: 2021-04-11T03:00:00.\n IOC tags: **generic**.\nASN 14754: (First IP 186.151.140.0, Last IP 186.151.198.255).\nASN Name \"\" and Organisation \"Telgua\".\nASN hosts 1063 domains.\nGEO IP information: City \"Guatemala City\", Country \"Guatemala\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-09-29T00:00:00", "id": "RST:EDF60F4B-16A0-3089-90AD-4A4D4716AD5D", "href": "", "published": "2021-04-18T00:00:00", "title": "RST Threat feed. IOC: 186.151.182.58", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **190[.]148.51.117** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **46**.\n First seen: 2021-04-15T03:00:00, Last seen: 2021-04-17T03:00:00.\n IOC tags: **shellprobe**.\nASN 14754: (First IP 190.148.51.0, Last IP 190.148.52.255).\nASN Name \"\" and Organisation \"Telgua\".\nASN hosts 1063 domains.\nGEO IP information: City \"Guatemala City\", Country \"Guatemala\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-04-15T00:00:00", "id": "RST:1974A4CB-C93B-34BD-B40D-2522D1F0693A", "href": "", "published": "2021-04-18T00:00:00", "title": "RST Threat feed. IOC: 190.148.51.117", "type": "rst", "cvss": {}}]}