TurnKey Linux Virtual Appliance Library

Drupal 6.12 update Cross site scripting?

donty's picture

Hi All

This will sound like a whinge but, it looks like the Turnkey Drupal 6.11 may have a serious cross site scripting error which was patched and updated by Drupal on 13th May but hasnt made it into the Turnkey iso or repositories.

Just wondered since XSS is so big a pain whether it could be included quickly to avoid proliferation?




Liraz Siri's picture

Good point

Thanks for pointing this out. I'll talk to Alon about this tomorrow and see if we can test 6.12 for inclusion in our auto-updates repository. That version came out about a week after we had finished testing that the previous version (6.11) could be updated to automatically without issues.

FYI, though we realize both can have serious consequences, we usually consider XSS vulnerabilities to be of lower priority than remote execution vulnerabilities. Especially in the middle of a development cycle.

Anyhow, note that just like with any other installation of Drupal on Ubuntu you can always apply a patch by hand. We've been importing the Drupal packages from Debian unstable after we test them. You could always install that package and do the testing yourself. If possible report back to the community so we can build on your experience.

Alon Swartz's picture

Tested and updated package archive

I've been meaning to do this for a while now, just been busy with the upcoming release and as Liraz mentioned "we usually consider XSS vulnerabilities to be of lower priority than remote execution vulnerabilities".

Anyway, you can read more in the update announcements for drupal5 and drupal6.
donty's picture

That's great news,

That's great news, thanks. I know remote exec is worse but I have seen a fair bit of injection and xss resulting in 3rd party problems and harm to confidence and reputation esp when Google reports it as a dangerous site - so I might overplay it a bit but when its avoidable its best to avoid it ;-) Thanks for the quick response, as always! *Meant to say I did patch mine up from Drupal which meant I changed the default settings conf in the sites default directory which meant I got to understand more about multi-site operation which was a nice bonus for handcrafting ;-)

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)