Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By jvandyk on
- Advisory ID: DRUPAL-SA-2006-004
- Project: Drupal core
- Date: 2006-03-13
- Security risk: moderately critical
- Impact: security bypass
- Where: from remote
- Vulnerability: mail header injection attack
Description
Linefeeds and carriage returns were not being stripped from email headers, raising the possibility of bogus headers being inserted into outgoing email.
This could lead to Drupal sites being used to send unwanted email.
Versions affected
All Drupal versions before 4.6.6.
Solution
- If you are running Drupal 4.5.x then upgrade to Drupal 4.5.8.
- If you are running Drupal 4.6.x then upgrade to Drupal 4.6.6.
Reported by
Norrin, kbahey
Contact
The security contact for Drupal can be reached at security at drupal.org or using the form at http://drupal.org/contact.
More information is available from http://drupal.org/security or from our security RSS feed http://drupal.org/security/rss.xml.
