Mageni Mageni Security LLC

Free and open-source vulnerability scanner

Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.

Install Now

Available for macOS, Windows, and Linux

App screenshot

Fedora Core 9 FEDORA-2009-4997 (drupal)

Information

Severity

Severity

Medium

Family

Family

Fedora Local Security Checks

CVSSv2 Base

CVSSv2 Base

5.0

CVSSv2 Vector

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Solution Type

Solution Type

Vendor Patch

Created

Created

14 years ago

Modified

Modified

6 years ago

Share

Summary

The remote host is missing an update to drupal announced via advisory FEDORA-2009-4997.

Insight

Insight

Update Information: Fixes SA-CORE-2009-006 ( http://drupal.org/node/461886 ). When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input. Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This enables attackers to execute cross site scripting attacks with UTF-7. SA-CORE-2009-005 - Drupal core - Cross site scripting contained an incomplete fix for the issue. HTML exports of books are still vulnerable, which means that anyone with edit permissions for pages in outlines is able to insert arbitrary HTML and script code in these exports. Additionally, the taxonomy module allows users with the 'administer taxonomy' permission to inject arbitrary HTML and script code in the help text of any vocabulary. ChangeLog: * Thu May 14 2009 Jon Ciesla - 6.12-1 - Update to 6.11, SA-CORE-2009-006. * Thu Apr 30 2009 Jon Ciesla - 6.11-1 - Update to 6.11, SA-CORE-2009-005. * Mon Apr 27 2009 Jon Ciesla - 6.10-2 - Added SELinux/sendmail note to README, BZ 497642.

Solution

Solution

Apply the appropriate updates. Remember to log in to your site as the admin user before upgrading this package. After upgrading the package, browse to http://host/drupal/update.php to run the upgrade script. This update can be installed with the yum update program. Use su -c 'yum update drupal' at the command line. For more information, refer to Managing Software with yum, available at http://docs.fedoraproject.org/yum/. https://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-4997

Common Vulnerabilities and Exposures (CVE)