DRUPAL-SA-2006-026 – Drupal core – Form action attribute injection

  • Advisory ID: DRUPAL-SA-2006-026
  • Project: Drupal core
  • Date: 2006-Oct-18
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: HTML attribute injection


A malicious user may entice users to visit a specially crafted URL that may result in the redirection of Drupal form submission to a third-party site. A user visiting the user registration page via such a url, for example, will submit all data, such as his/her e-mail address, but also possible private profile data, to a third-party site.

Versions affected

  • Drupal 4.6.x versions before Drupal 4.6.10
  • Drupal 4.7.x versions before Drupal 4.7.4


  • If you are running Drupal 4.6.x then upgrade to Drupal 4.6.10.
  • If you are running Drupal 4.7.x then upgrade to Drupal 4.7.4.

Please note that the patches only contain changes related to this advisory, and do not fix bugs that were solved in 4.6.10 or 4.7.4.

Reported by

Frederic Marand.


The security contact for Drupal can be reached at security at drupal.org or using the form at http://drupal.org/contact.

Drupal version: