------------SA-2008-007 - DRUPAL CORE - CROSS SITE SCRIPTING (REGISTER_GLOBALS)------------
* Advisory ID: DRUPAL-SA-2008-007
* Project: Drupal core
* Version: 4.7.x, 5.x
* Date: 2008-January-10
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting when register_globals is enabled.
------------DESCRIPTION------------
When theme .tpl.php files are accessible via the web and the PHP setting register_globals is set to enabled, anonymous users are able to execute cross site scripting attacks via specially crafted links.
Drupals .htaccess attempts to set register_globals to disabled and also prevents access to .tpl.php files. Only when both these measures are not effective and your PHP interpreter is configured with register_globals set to enabled, will this issue affect you.
------------VERSIONS AFFECTED------------
* Drupal 4.7.x
* Drupal 5.x
------------SOLUTIONS------------
* Disable register_globals. Please refer to the PHP documentation [
http://www.php.net/configuration.changes ] on information how to configure PHP.
* Ensure .tpl.php files are not accessible via the web.
Drupal 4.7.11 and 5.6 will present a warning on the administration page when register_globals is enabled. Drupal 5.6 will refuse installation on an insecurely configured server. Existing sites will continue to work.
------------REPORTED BY------------
Ultra Security Research.
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via the form at [
http://drupal.org/contact ].