* Advisory ID: DRUPAL-SA-CONTRIB-2010-011 * Project: Feedback (third-party module) * Version: 5.x, 6.x * Date: 2010-January-27 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting
-------- DESCRIPTION ---------------------------------------------------------
Feedback module enables users and visitors of a Drupal site to quickly send feedback messages about the currently displayed page. When displaying reports about submitted feedback, the module does not properly sanitize the user agent strings from the Browscap module before display, leading to a cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. Mitigating factors: this only impacts sites which also use the Browscap module and have the "Monitor browsers" feature enabled. -------- VERSIONS AFFECTED ---------------------------------------------------
* Feedback for Drupal 6.x prior to 6.x-2.1 * Feedback for Drupal 5.x prior to 5.x-2.1
Drupal core is not affected. If you do not use the contributed Feedback module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Upgrade to the latest version: * If you use Feedback for Drupal 6.x upgrade to Feedback 6.x-2.1 [2] * If you use Feedback for Drupal 5.x upgrade to Feedback 5.x-2.1 [3]
See also the Feedback project page [4]. -------- REPORTED BY ---------------------------------------------------------
* mr.baileys [5]
-------- FIXED BY ------------------------------------------------------------
* Daniel Kudwien [6], the module maintainer * Dave Reid [7]
-------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/697288 [3] http://drupal.org/node/697290 [4] http://drupal.org/project/feedback [5] http://drupal.org/user/383424 [6] http://drupal.org/user/54136 [7] http://drupal.org/user/53892