* Advisory ID: DRUPAL-SA-CONTRIB-2009-052 * Project: Printer, e-mail and PDF versions (Print) (third-party modules) * Version: 5.x, 6.x * Date: 2009-August-19 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting
-------- DESCRIPTION ---------------------------------------------------------
The Printer, e-mail and PDF versions ("Print") module provides printer-friendly versions of content. The module doesn't properly escape a number of user-supplied variables before output. A user who has the permission to add content could attempt a cross site scripting [1] (XSS) attack which may in some cases lead to the user gaining full administrative access. -------- VERSIONS AFFECTED ---------------------------------------------------
* Print versions 6.x prior to 6.x-1.8 * Print versions 5.x prior to 5.x-4.8
Drupal core is not affected. If you do not use the contributed Print module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Install the latest version: * If you use the Print module on Drupal 6.x upgrade to 6.x-1.8 [2] * If you use the Print module on Drupal 5.x upgrade to 5.x-4.8 [3]
See also the Print module project page [4]. -------- REPORTED BY ---------------------------------------------------------
Justin Klein Keane [5]. -------- FIXED BY ------------------------------------------------------------
João Ventura [6], the "Printer, e-mail and PDF versions" project maintainer, with assistance from Ben Jeavons [7] of the Drupal Security Team [8] -------- CONTACT -------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/554328 [3] http://drupal.org/node/554326 [4] http://drupal.org/project/print [5] http://drupal.org/user/302225 [6] http://drupal.org/user/122464 [7] http://drupal.org/user/91990 [8] http://drupal.org/security-team