FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

drupal -- cross site scripting (register_globals)

Affected packages
drupal5 < 5.6
drupal4 < 4.7.11

Details

VuXML ID f0fa19dd-c060-11dc-982e-001372fd0af2
Discovery 2008-01-10
Entry 2008-01-11
Modified 2010-05-12

The Drupal Project reports:

When theme .tpl.php files are accessible via the web and the PHP setting register_globals is set to enabled, anonymous users are able to execute cross site scripting attacks via specially crafted links.

Drupal's .htaccess attempts to set register_globals to disabled and also prevents access to .tpl.php files. Only when both these measures are not effective and your PHP interpreter is configured with register_globals set to enabled, will this issue affect you.

References

CVE Name CVE-2008-0274
URL http://drupal.org/node/208565
URL http://secunia.com/advisories/28422/