Primary links
- Advisory ID: DRUPAL-SA-2007-026
- Project: Drupal core
- Version: 4.6.x, 4.7.x, 5.x
- Date: 2007-October-17
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
The allowed extension list of the core Upload module contains the extension HTML by default. Such files can be used to execute arbitrary script code in the context of the affected site when a user views the file.
Revoking upload permissions or removing the .html extension from the allowed extension list will stop uploads of malicious files. but will do nothing to protect your site against files that are already present. Carefully inspect the file system path for any HTML files. We recommend you remove any HTML file you did not update yourself. You should look for , CSS includes, Javascript includes, and onerror="" attributes if you need to review files individually.
Important note: Configuration change needed
Installing the upgrade or using the patch will not remove the .html extensions from an already configured upload module. Visit administer » settings » upload (admin/settings/upload) on Drupal 4.6.x to remove html from the allowed extensions lists.
The steps above will stop uploads of malicious files, but will do nothing to protect your site against files that have already been uploaded. Make sure to carefully inspect the file system path for any HTML files.
The official announcement for Drupal 4.7 is here, and the official patch for Drupal 4.7 is here.
Considerations for Drupal 4.6
The same exploit is possible and therefore Drupal 4.6 must be patched against this vulnerability, using the same approach as the official 4.7 patch.
