SA-CORE-2009-005 – Drupal core – Cross site scripting

  • Advisory ID: DRUPAL-SA-CORE-2009-005
  • Project: Drupal core
  • Version: 5.x, 6.x
  • Date: 2009-April-29
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting


When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.

Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the <meta http-equiv=”Content-Type” /> tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This behaviour enables malicious users to insert and execute Javascript in the context of the website if site visitors are allowed to post content.

Wikipedia has more information about cross site scripting (XSS).

In addition, Drupal core also has a very limited information disclosure vulnerability under very specific conditions. If a user is tricked into visiting the site via a specially crafted URL and then submits a form (such as the search box) from that page, the information in their form submission may be directed to a third-party site determined by the URL and thus disclosed to the third party. The third party site may then execute a CSRF attack against the submitted form.

This vulnerability is limited to forms present on the frontpage. The user login form is not vulnerable.

Versions affected

  • Drupal 5.x before version 5.17.
  • Drupal 6.x before version 6.11.


Install the latest version:

  • If you are running Drupal 6.x then upgrade to Drupal 6.11.
  • If you are running Drupal 5.x then upgrade to Drupal 5.17.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. Theses patches fix the security vulnerability, but does not contain other fixes which were released in Drupal 5.17 or Drupal 6.11.

As an alternate solution if you are unable to upgrade immediately, you can alter your page template following the pattern in the core changes. Open your theme’s main page.tpl.php file as well as any other page templates like page-node.tpl.php or page-front.tpl.php and move the line that is printing $head (<?php print $head ?>) above line with the <title> tag, so that it is the first item after the <head>.

Reported by

The UTF-7 XSS issue was reported by pod.Edge.

The information disclosure vulnerability was reported by Moritz Naumann.

Fixed by

The Drupal security team


The security team for Drupal can be reached at security at or via the form at

Drupal version: 


XNU 1228.9.59 and earlier on Apple Mac OS X 10.5.6 and earlier does not properly restrict interaction between user space and the HFS IOCTL handler, which allows local users to overwrite kernel memory and gain privileges by attaching an HFS+ disk image and performing certain steps involving HFS_GET_BOOT_INFO fcntl calls. (CVSS:7.2) (Last Update:2009-08-13)


Race condition in the HFS vfs sysctl interface in XNU 1228.8.20 and earlier on Apple Mac OS X 10.5.6 and earlier allows local users to cause a denial of service (kernel memory corruption) by simultaneously executing the same HFS_SET_PKG_EXTENSIONS code path in multiple threads, which is problematic because of lack of mutex locking for an unspecified global variable. (CVSS:7.2) (Last Update:2009-04-18)


Multiple memory leaks in XNU 1228.3.13 and earlier on Apple Mac OS X 10.5.6 and earlier allow local users to cause a denial of service (kernel memory consumption) via a crafted (1) SYS_add_profil or (2) SYS___mac_getfsstat system call. (CVSS:4.9) (Last Update:2009-04-18)


Heap-based buffer overflow in the AppleTalk networking stack in XNU 1228.3.13 and earlier on Apple Mac OS X 10.5.6 and earlier allows remote attackers to cause a denial of service (system crash) via a ZIP NOTIFY (aka ZIPOP_NOTIFY) packet that overwrites a certain ifPort structure member. (CVSS:10.0) (Last Update:2009-04-18)