SA-CORE-2009-005

Primary links

Advisory ID: DRUPAL-SA-CORE-2009-005
Project: Drupal core
Version: 5.x
Date: 2009-April-29
Security risk: Moderately Critical
Exploitable from: Remote
Vulnerability: Cross site scripting

When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.

Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This behaviour enables malicious users to insert and execute Javascript in the context of the website if site visitors are allowed to post content.

The official announcement for Drupal 5.x is here.

Considerations for Drupal 4.7

An equivalent vulnerability is present in Drupal 4.7 and installations should be patched.

SA-CORE-2009-005-4.7.patch

Featured Project

VI Source

VI Source is a free online newspaper serving the U.S. Virgin Islands. Each of the three main islands -- St. John, St. Thomas, and St. Croix -- is represented by its own portal that leads to content relevant to its residents. In 2009, Openflows completed development of this richly-featured interactive website.

Full description

Our Clients Are the Bottom Line

One of the key things that makes OCTL different from many other free software/open source consulting groups is that we have no investors. We built the company based on labor and the needs of our clients.

At the end of the day, our decisions are based not on what is in the best interests of shareholders, but on the commitments and relationships we have with the companies and organizations we work with.