492943 - Advisory ID: DRUPAL-SA-CORE-2009-006

Status: RESOLVED DUPLICATE of bug 492841

(Websites Graveyard :: spreadfirefox.com, defect)

Description

[Paul Booker]

* Advisory ID: DRUPAL-SA-CORE-2009-006
 * Project: Drupal core
 * Version: 5.x, 6.x
 * Date: 2009-May-13
 * Security risk: Moderately critical
 * Exploitable from: Remote
 * Vulnerability: Multiple vulnerabilities

-------- DESCRIPTION ---------------------------------------------------------

When outputting user-supplied data Drupal strips potentially dangerous HTML
attributes and tags or escapes characters which have a special meaning in
HTML. This output filtering secures the site against cross site scripting
attacks via user input. Certain byte sequences that are valid in the UTF-8
specification are potentially dangerous when interpreted as UTF-7. Internet
Explorer 6 and 7 may decode these characters as UTF-7 if they appear before
the <meta http-equiv="Content-Type" /> tag that specifies the page content as
UTF-8, despite the fact that Drupal also sends a real HTTP header specifying
the content as UTF-8. This enables attackers to execute cross site scripting
attacks with UTF-7. SA-CORE-2009-005 - Drupal core - Cross site scripting [1]
contained an incomplete fix for the issue. HTML exports of books are still
vulnerable, which means that anyone with edit permissions for pages in
outlines is able to insert arbitrary HTML and script code in these exports.
Additionally, the taxonomy module allows users with the /'administer
taxonomy'/ permission to inject arbitrary HTML and script code in the help
text of any vocabulary. Wikipedia has more information about cross site
scripting [2] (XSS).
-------- VERSIONS AFFECTED ---------------------------------------------------

 * Drupal 5.x before version 5.18.
 * Drupal 6.x before version 6.12.

-------- SOLUTION ------------------------------------------------------------

Install the latest version:
 * If you are running Drupal 6.x then upgrade to Drupal 6.12 [3].
 * If you are running Drupal 5.x then upgrade to Drupal 5.18 [4].

If you are unable to upgrade immediately, you can apply a patch to secure
your installation until you are able to do a proper upgrade. Theses patches
fix the security vulnerability, but does not contain other fixes which were
released in Drupal 5.18 or Drupal 6.12.
 * To patch Drupal 6.11 use SA-CORE-2009-006-6.11.patch [5].
 * To patch Drupal 5.17 use SA-CORE-2009-006-5.17.patch [6].

-------- REPORTED BY ---------------------------------------------------------

The UTF-7 XSS issue in book-export-html.tpl.php was reported by Markus
Petrux. The XSS issue in taxonomy module was publicly disclosed.
-------- FIXED BY ------------------------------------------------------------

Both issues were fixed by Heine Deelstra, Peter Wolanin and Derek Wright of
the Drupal Security Team.
-------- CONTACT -------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

Comment 1

[Stephen Donner [:stephend] Not actively reading bugmail]

Already filed