----------------------------------------------------------------------

Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.

The Full Featured Secunia Network Software Inspector (NSI) is now
available:
http://secunia.com/network_software_inspector/

The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.

----------------------------------------------------------------------

TITLE:
Drupal Multiple Cross-Site Scripting and Request Forgery
Vulnerabilities

SECUNIA ADVISORY ID:
SA26224

VERIFY ADVISORY:
http://secunia.com/advisories/26224/

CRITICAL:
Less critical

IMPACT:
Cross Site Scripting

WHERE:
>From remote

SOFTWARE:
Drupal 5.x
http://secunia.com/product/13378/
Drupal 4.x
http://secunia.com/product/342/

DESCRIPTION:
Some vulnerabilities have been reported in Drupal, which can be
exploited by malicious users to conduct cross-site scripting attacks
and by malicious people to conduct cross-site request forgery
attacks.

1) Drupal does not correctly use the Forms API and allows users to
perform certain actions via HTTP requests without performing any
validity checks to verify the request. This can be exploited e.g. to
delete comments or content revisions and disable menu items by
enticing a logged-in user to visit a malicious site. 

The vulnerabilities are reported in Drupal 5.x prior to 5.2.

2) Certain server variables are not properly sanitised before being
returned to the user. This can be exploited to execute arbitrary HTML
and script code in a user's browser session in context of an affected
site.

Successful exploitation requires "administer content types"
privileges.

The vulnerabilities are reported in Drupal  4.7.x prior to 4.7.7 and
Drupal 5.x prior to Drupal 5.2

SOLUTION:
Update to version 4.7.7 and 5.2 or apply patches.

PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Konstantin Käfer (menu issue) and the Drupal security team.
2) David Caylor (PHP_SELF issue) and Karthik (Content type naming
issues).

ORIGINAL ADVISORY:
1) http://drupal.org/files/sa-2007-017/advisory.txt
2) http://drupal.org/files/sa-2007-018/advisory.txt

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------