Debian: DSA-2016-1 Critical: Drupal6 Remote Exploits and Fixes
debian
March 13, 2010
Several vulnerabilities (SA-CORE-2010-001) have been discovered in drupal6, a fully-featured content management framework
Summary
Several vulnerabilities (SA-CORE-2010-001) have been discovered in
drupal6, a fully-featured content management framework.
Installation cross site scripting
A user-supplied value is directly output during installation allowing a
malicious user to craft a URL and perform a cross-site scripting attack.
The exploit can only be conducted on sites not yet installed.
Open redirection
The API function drupal_goto() is susceptible to a phishing attack.
An attacker could formulate a redirect in a way that gets the Drupal site
to send the user to an arbitrarily provided URL.
No user submitted data will be sent to that URL.
Locale module cross site scripting
Locale module and dependent contributed modules do not sanitize the display
of language codes, native and English language names properly.
While these usually come from a preselected list, arbitrary administrator
input is allowed.
This vulnerability is mitigated by the fact that the attacker must have a
role with the 'administer languages' permission.
Block...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: drupal6
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!