* Advisory ID: DRUPAL-SA-CONTRIB-2009-052 * Project: Printer, e-mail and PDF versions (Print) (third-party modules) * Version: 5.x, 6.x * Date: 2009-August-19 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Printer, e-mail and PDF versions ("Print") module provides printer-friendly versions of content. The module doesn't properly escape a number of user-supplied variables before output. A user who has the permission to add content could attempt a cross site scripting [1] (XSS) attack which may in some cases lead to the user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Print versions 6.x prior to 6.x-1.8 * Print versions 5.x prior to 5.x-4.8 Drupal core is not affected. If you do not use the contributed Print module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Print module on Drupal 6.x upgrade to 6.x-1.8 [2] * If you use the Print module on Drupal 5.x upgrade to 5.x-4.8 [3] See also the Print module project page [4]. -------- REPORTED BY --------------------------------------------------------- Justin Klein Keane [5]. -------- FIXED BY ------------------------------------------------------------ João Ventura [6], the "Printer, e-mail and PDF versions" project maintainer, with assistance from Ben Jeavons [7] of the Drupal Security Team [8] -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/554328 [3] http://drupal.org/node/554326 [4] http://drupal.org/project/print [5] http://drupal.org/user/302225 [6] http://drupal.org/user/122464 [7] http://drupal.org/user/91990 [8] http://drupal.org/security-team