| VID |
210043 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Drupal is vulnerable an arbitrary PHP code execution vulnerability by previewing comments. Drupal is an open-source content management system written in PHP. Drupal versions 4.7.x prior to 4.7.6 and versions 5.x prior to 5.1 could allow a remote attacker to execute arbitrary PHP code, caused by the improper handling of comments by the comment_form_add_preview() function. A remote attacker could exploit this vulnerability while previewing a comment to execute arbitrary PHP code on a vulnerable system.
* References:
http://drupal.org/node/113935
http://www.frsirt.com/english/advisories/2007/0406
http://www.frsirt.com/english/advisories/2007/0415
http://secunia.com/advisories/23960
http://secunia.com/advisories/23990
* Platforms Affected:
Drupal versions 4.7.x prior to 4.7.6
Drupal versions 5.x prior to 5.1
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of Drupal (4.7.6 / 5.1 or later), as listed in the Drupal Security Advisory ID: DRUPAL-SA-2007-005 at http://drupal.org/node/113935 |
| Related URL |
CVE-2007-0626 (CVE) |
| Related URL |
22306 (SecurityFocus) |
| Related URL |
31940 (ISS) |
|
