Multiple XSS (cross site scripting) vulnerabilities have been discovered.
A bug in input validation and lack of output validation allows HTML and script
insertion on several pages.
Drupal's XML parser passes unescaped data to watchdog under certain
circumstances. A malicious user may execute an XSS attack via a specially
crafted RSS feed. This vulnerability exists on systems that do not use PHP's
mb_string extension (to check if mb_string is being used, navigate to
admin/settings and look under "String handling"). Disabling the aggregator
module provides an immediate workaround.
The aggregator module, profile module, and forum module do not properly escape
output of certain fields.
Note: XSS attacks may lead to administrator access if certain conditions are
met.
If you are running Drupal 4.6.x then upgrade to Drupal 4.6.10.
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz
If you are running Drupal 4.7.x then upgrade to Drupal 4.7.4.
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz
To patch Drupal 4.6.9 use http://drupal.org/files/sa-2006-024/4.6.9.patch.
To patch Drupal 4.7.3 use http://drupal.org/files/sa-2006-024/4.7.3.patch.
Please note that the patches only contain changes related to this advisory, and
do not fix bugs that were solved in 4.6.10 or 4.7.4.
The security contact for Drupal can be reached at security at drupal.org or
using the form at http://drupal.org/contact.
Uwe Hermann
http://www.hermann-uwe.de
http://www.it-services-uh.de | http://www.crazy-hacks.org
http://www.holsham-traders.de | http://www.unmaintained-free-software.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFN7DxXdVoV3jWIbQRAm5IAJ0UmC80/DpS0I2WM8q9nPmxZdjtHQCeMiVP
jFhf+0xpVQz/7pXwh71hOAo=
=5y6Z
-----END PGP SIGNATURE-----