SA-CORE-2009-006

Primary links

Advisory ID: DRUPAL-SA-CORE-2009-006
Project: Drupal core
Version: 5.x
Date: 2009-May-13
Security risk: Moderately Critical
Exploitable from: Remote
Vulnerability: Cross site scripting

When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.

The fix from SA-CORE-2009-005 was incomplete; this addresses related issues in the book and taxonomy modules.

The official announcement for Drupal 5.x is here.

Considerations for Drupal 4.7

An equivalent vulnerability is present in Drupal 4.7 and installations should be patched.

SA-CORE-2009-006-4.7.patch

Featured Project

Open Green Map

Open Green Map is an interactive, multilingual platform where users can post and add features to maps of localities all over the world. Openflows is incorporating open source and Google Maps technology with social networking and other interactive features to create an ecological map publishing platform with a community feel.

Full description

Our Clients Are the Bottom Line

One of the key things that makes OCTL different from many other free software/open source consulting groups is that we have no investors. We built the company based on labor and the needs of our clients.

At the end of the day, our decisions are based not on what is in the best interests of shareholders, but on the commitments and relationships we have with the companies and organizations we work with.