Drupal 4.6.2 / 4.5.4 fixes input validation issue

Date July 2, 2005

Description
———–
Kuba Zygmunt discovered a flaw in the input validation routines of Drupal’s
filter mechanism. An attacker could execute arbitrary PHP code on a target
site when public comments or postings are allowed.

Versions affected
—————–
Drupal 4.5.0, 4.5.1, 4.5.2, 4.5.3
Drupal 4.6.0, 4.6.1

Solution
——–
Either disable public comments and postings, or upgrade to the latest Drupal
version:
- If you cannot upgrade immediately, you can secure your site by disabling
public postings and comments. Log in as an administrator, go to
“administer >> access control” and make sure that untrusted roles don’t
have the permissions to submit or edit content.
- If you are running Drupal 4.5.x, then upgrade to Drupal 4.5.4.
- If you are running Drupal 4.6.x, then upgrade to Drupal 4.6.2.

Contact
——-
The security contact for Drupal can be reached at security@drupal.org
or using the form at http://drupal.org/contact.

Category Posted in Exploits and Bugs

One Response to “Drupal 4.6.2 / 4.5.4 fixes input validation issue”

  1. hero_zero said:

    July 12th, 2005 at 3:55 pm

    bug v2.0.0 —>2.0.4

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>