[DRUPAL-SA-2006-026] Drupal 4.6.10 / 4.7.4 fixes HTML attribute injection issue

Type securityvulns
Reporter Securityvulns
Modified 2006-10-21T00:00:00



Drupal security advisory DRUPAL-SA-2006-026

Project: Drupal core Date: 2006-Oct-18 Security risk: Less critical Exploitable from: Remote Vulnerability: HTML attribute injection


A malicious user may entice users to visit a specially crafted URL that may result in the redirection of Drupal form submission to a third-party site. A user visiting the user registration page via such a url, for example, will submit all data, such as his/her e-mail address, but also possible private profile data, to a third-party site.

Versions affected

  • Drupal 4.6.x versions before Drupal 4.6.10
  • Drupal 4.7.x versions before Drupal 4.7.4

Solution - If you are running Drupal 4.6.x then upgrade to Drupal 4.6.10. http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz - If you are running Drupal 4.7.x then upgrade to Drupal 4.7.4. http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz

  • To patch Drupal 4.6.9 use http://drupal.org/files/sa-2006-026/4.6.9.patch.
  • To patch Drupal 4.7.3 use http://drupal.org/files/sa-2006-026/4.7.3.patch.

Please note that the patches only contain changes related to this advisory, and do not fix bugs that were solved in 4.6.10 or 4.7.4.

Reported by

Frederic Marand.


The security contact for Drupal can be reached at security at drupal.org or using the form at http://drupal.org/contact.

// Uwe Hermann, on behalf of the Drupal Security Team.

Uwe Hermann http://www.hermann-uwe.de http://www.it-services-uh.de | http://www.crazy-hacks.org http://www.holsham-traders.de | http://www.unmaintained-free-software.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux)