CRLF injection vulnerability in the drupal_goto function in includes/common.inc Drupal 4.7.x before 4.7.8 and 5.x before 5.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
Link | Tags |
---|---|
http://drupal.org/node/184315 | vendor advisory |
http://www.vupen.com/english/advisories/2007/3546 | vdb entry third party advisory |
https://exchange.xforce.ibmcloud.com/vulnerabilities/37264 | vdb entry third party advisory |
http://secunia.com/advisories/27292 | third party advisory |
https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00328.html | third party advisory vendor advisory |
http://secunia.com/advisories/27352 | third party advisory |
http://www.securityfocus.com/bid/26119 | vdb entry third party advisory |