• IDP Daily Update #1254
  posted: 09/05/08
  
• NSM Daily Update #1254
  posted: 09/05/08
  
• Deep Inspection 5.3r5 and above, 5.4, 6.0 #1254
  posted: 09/05/08
  
• Deep Inspection 5.1, 5.2, 5.3r4 and below #1252
  posted: 09/05/08
  
• Deep Inspection 5.0 #1132
  posted: 04/01/08
  
• Antivirus
  posted: 09/05/08

Text Size:        

• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Drupal News Message HTML Injection Vulnerability

Severity: MODERATE

Description:

Drupal is a freely available, open-source content manager implemented in PHP. It is available for UNIX, Linux, and Microsoft operating environments.

Problems with Drupal could allow an attacker to inject arbitrary HTML in Drupal news posts.

Drupal fails to sufficiently filter potentially malicious HTML code from news posts. As a result, when a user chooses to view a news posting that contains malicious HTML code, the code contained in the posted message would be executed in their browser. This will occur in the context of the site hosting the Drupal software.

Note that administrative approval may be required before news posts are actually displayed on the vulnerable site. If this is the case, and a post requires approval through a web-based interface, then an administrator of the vulnerable site may be the intended target of attacks.

Attackers may potentially exploit this issue to manipulate web content, steal cookie-based authentication credentials, and possibly to take arbitrary actions as the victim user.

This vulnerability was reported for Drupal 4.0.0. It is not known whether other versions are affected.

Affected Products:

• Drupal Drupal 4.0.0 .0

References:

• Drupal: Vendor Homepage