• Advisory ID: DRUPAL-SA-2006-026
• Project: Drupal core
• Date: 2006-Oct-18
• Security risk: Less critical
• Exploitable from: Remote
• Vulnerability: HTML attribute injection

Description

A malicious user may entice users to visit a specially crafted URL that may result in the redirection of Drupal form submission to a third-party site. A user visiting the user registration page via such a url, for example, will submit all data, such as his/her e-mail address, but also possible private profile data, to a third-party site.

Versions affected

• Drupal 4.6.x versions before Drupal 4.6.10
• Drupal 4.7.x versions before Drupal 4.7.4

Solution

• If you are running Drupal 4.6.x then upgrade to Drupal 4.6.10.
• If you are running Drupal 4.7.x then upgrade to Drupal 4.7.4.

• To patch Drupal 4.6.9 use http://drupal.org/files/sa-2006-026/4.6.9.patch.
• To patch Drupal 4.7.3 use http://drupal.org/files/sa-2006-026/4.7.3.patch.

Please note that the patches only contain changes related to this advisory, and do not fix bugs that were solved in 4.6.10 or 4.7.4.

Reported by

Frederic Marand.

Contact

The security contact for Drupal can be reached at security at drupal.org or using the form at http://drupal.org/contact.