• Advisory ID: DRUPAL-SA-2006-022
  • Project: Search Keywords
  • Date: 2006-Sep-20
  • Security risk: moderately critical
  • Exploitable from: remote
  • Vulnerability: cross site scripting

Description

It is possible for a malicious user to insert and execute XSS (Cross Site Scripting), due to lack of validation on output. This may lead to administrator access if certain conditions are met.
Learn more about XSS on Wikipedia.

Versions affected

Drupal core is not affected. If you do not use the Search Keywords module there is nothing you need to do.

If you are running Search Keywords, please check the CVS $Id$ fields on the second line of the file search_keywords.module to determine whether the version you are running is vulnerable. Versions older than the following are vulnerable:

  • Drupal 4.7 - $Id: search_keywords.module,v 1.15 2006/09/15 14:31:26 sugree Exp $

Solution

Install the latest version:

See also the Search Keywords project page.

Reported by

Andre Bar'yudin

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.