- Advisory ID: DRUPAL-SA-2006-021
- Project: Site Profile Directory
- Date: 2006-Sep-20
- Security risk: less critical
- Exploitable from: remote
- Vulnerability: cross site scripting
Description
It is possible for a malicious user to insert and execute XSS (Cross Site Scripting), due to lack of validation on output. This may lead to administrator access if certain conditions are met.
Learn more about XSS on Wikipedia.
Versions affected
Drupal core is not affected. If you do not use the Site Profile Directory module there is nothing you need to do.
If you are running Site Profile Directory, please check the CVS $Id$ fields on the second line of the file profile_pages.module to determine whether the version you are running is vulnerable. Versions lacking this field or older than the following are vulnerable:
- Drupal 4.6 - // $Id: profile_pages.module,v 1.1.2.1 2006/09/14 07:00:14 heine Exp $
- Drupal 4.7 - // $Id: profile_pages.module,v 1.2.2.1 2006/09/14 09:08:58 heine Exp $
Solution
Install the latest version:
See also the Site Profile Directory project page.
Reported by
Ben Reser
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
