#1812: Freeze Exception request: drupal
Fedora Release Engineering
rel-eng at fedoraproject.org
Thu May 14 12:51:25 UTC 2009
#1812: Freeze Exception request: drupal
-----------------------------+----------------------------------------------
Reporter: limb | Owner: rel-eng at lists.fedoraproject.org
Type: task | Status: new
Milestone: Fedora 11 Final | Component: koji
Keywords: |
-----------------------------+----------------------------------------------
Please tag drupal-6.12-1.f11, security fix for SA-CORE-2009-006.
When outputting user-supplied data Drupal strips potentially dangerous
HTML attributes and tags or escapes characters which have a special
meaning in HTML. This output filtering secures the site against cross site
scripting attacks via user input.
Certain byte sequences that are valid in the UTF-8 specification are
potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7
may decode these characters as UTF-7 if they appear before the <meta http-
equiv="Content-Type" /> tag that specifies the page content as UTF-8,
despite the fact that Drupal also sends a real HTTP header specifying the
content as UTF-8. This enables attackers to execute cross site scripting
attacks with UTF-7. SA-CORE-2009-005 - Drupal core - Cross site scripting
contained an incomplete fix for the issue. HTML exports of books are still
vulnerable, which means that anyone with edit permissions for pages in
outlines is able to insert arbitrary HTML and script code in these
exports.
Additionally, the taxonomy module allows users with the 'administer
taxonomy' permission to inject arbitrary HTML and script code in the help
text of any vocabulary.
Wikipedia has more information about cross site scripting (XSS).
--
Ticket URL: <https://fedorahosted.org/rel-eng/ticket/1812>
Fedora Release Engineering <http://fedorahosted.org/rel-eng>
Release Engineering for the Fedora Project
More information about the rel-eng
mailing list