Info

Disclosure

Mar 13, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Drupal contains a flaw allows a malicious user to insert line feeds and carriage returns into outgoing email. This allows the attacker to insert bogus headers into outgoing email. This could lead to Drupal sites being used to send unwanted email.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Unknown
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to version 4.5.8, 4.6.6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Drupal	Drupal	4.5.7
		4.6.5

References

Secunia Advisory ID: 19245 19257
CVE ID: 2006-1225 (see also: NVD)
Related OSVDB ID: 23909 23910 23911
ISS X-Force ID: 25206
Keyword: DRUPAL-SA-2006-004
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-02/1468.html
Vendor URL: http://drupal.org/
Vendor Specific Advisory URL: http://drupal.org/node/53806
http://www.debian.org/security/2006/dsa-1007

Credit

Norrin -
kbahey -

Direct URL: http://osvdb.org/23912