---------------------------------------------------------------------------- Drupal security advisory DRUPAL-SA-2006-011 ---------------------------------------------------------------------------- Advisory ID: DRUPAL-SA-2006-011 Project: Drupal core Date: 2006-Aug-02 Security risk: less critical Impact: Drupal 4.6, Drupal 4.7 Where: from remote Vulnerability: cross-site scripting ---------------------------------------------------------------------------- Description ----------- A malicious user can execute a cross site scripting attack by enticing someone to visit a Drupal site via a specially crafted link. Versions affected ----------------- - Drupal 4.6.x versions before Drupal 4.6.9 - Drupal 4.7.x versions before Drupal 4.7.3 Solution -------- If you are running Drupal 4.6.x then upgrade to Drupal 4.6.9 (http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.9.tar.gz). If you are running Drupal 4.7.x then upgrade to Drupal 4.7.3 (http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.3.tar.gz). To patch Drupal 4.6.8 use http://drupal.org/files/sa-2006-011/4.6.8.patch. To patch Drupal 4.7.2 use http://drupal.org/files/sa-2006-011/4.7.2.patch. Reported By ----------- Ayman Hourieh Note about Drupal 4.7.3 and custom themes or JavaScript ------------------------------------------------------- A bug in the form API theme layer made it possible to have an ID occur more than once in a page. This invalidates the HTML, makes styling with CSS hard or impossible, and can break JavaScript. A patch was committed to ensure unique IDs. This patch has a side-effect that IDs for hidden form fields in your site's HTML will change. You might need to adapt your custom CSS or JavaScript, if it refers to such a changed ID. Contact ------- The security contact for Drupal can be reached at security@drupal.org or using the form at http://drupal.org/contact. More information is available from http://drupal.org/security or from our security RSS feed http://drupal.org/security/rss.xml.