Title: Drupal Multiple Input Validation Vulnerabilities
Severity: HIGH
Description:
Drupal is an open-source content management system (CMS). Drupal is available for a number of platforms, including Microsoft Windows and UNIX/Linux variants.
Drupal is prone to multiple input-validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.
A cross-site scripting vulnerability occurs because of a lack of validation on output of the page title.
An SQL-injection vulnerability occurs because certain queries are not being sent through the sanitizer.
A arbitrary file-execution vulnerability occurs in certain Apache configurations when dealing with multiple extensions in filenames in the 'files' directory.
A successful exploit of these vulnerabilities could allow an attacker to compromise the application, access or modify data, steal cookie-based authentication credentials, or even exploit vulnerabilities in the underlying database implementation. Other attacks are also possible.
Affected Products:
- Debian Linux 3.1.0
- Debian Linux 3.1.0 alpha
- Debian Linux 3.1.0 amd64
- Debian Linux 3.1.0 arm
- Debian Linux 3.1.0 hppa
- Debian Linux 3.1.0 ia-32
- Debian Linux 3.1.0 ia-64
- Debian Linux 3.1.0 m68k
- Debian Linux 3.1.0 mips
- Debian Linux 3.1.0 mipsel
- Debian Linux 3.1.0 ppc
- Debian Linux 3.1.0 s/390
- Debian Linux 3.1.0 sparc
- Drupal Drupal 4.0.0 .0
- Drupal Drupal 4.1.0 .0
- Drupal Drupal 4.2.0 .0 RC
- Drupal Drupal 4.4.0
- Drupal Drupal 4.4.1
- Drupal Drupal 4.4.2
- Drupal Drupal 4.4.3
- Drupal Drupal 4.5.0
- Drupal Drupal 4.5.1
- Drupal Drupal 4.5.2
- Drupal Drupal 4.5.2
- Drupal Drupal 4.5.3
- Drupal Drupal 4.5.4
- Drupal Drupal 4.5.5
- Drupal Drupal 4.5.6
- Drupal Drupal 4.5.7
- Drupal Drupal 4.5.8
- Drupal Drupal 4.6.0
- Drupal Drupal 4.6.1
- Drupal Drupal 4.6.2
- Drupal Drupal 4.6.3
- Drupal Drupal 4.6.4
- Drupal Drupal 4.6.5
- Drupal Drupal 4.6.6
- Drupal Drupal 4.6.7
- Drupal Drupal 4.7.0
- Drupal Drupal 4.7.1