DSA-1147-1 drupal -- missing input sanitising

Debian Security Advisory

DSA-1147-1 drupal -- missing input sanitising

Date Reported:

09 Aug 2006

Affected Packages:

drupal

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2006-4002.

More information:

Ayman Hourieh discovered that Drupal, a dynamic website platform, performs insufficient input sanitising in the user module, which might lead to cross-site scripting.

For the stable distribution (sarge) this problem has been fixed in version 4.5.3-6.1sarge3.

For the unstable distribution (sid) this problem has been fixed in version 4.5.8-2.

We recommend that you upgrade your drupal package.

Fixed in:

Debian GNU/Linux 3.1 (sarge)

Source:

http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6.1sarge3.dsc

http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6.1sarge3.diff.gz

http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3.orig.tar.gz

Architecture-independent component:

http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6.1sarge3_all.deb

MD5 checksums of the listed files are available in the original advisory.