* Advisory ID: DRUPAL-SA-CONTRIB-2009-039 * Project: Links Package (third-party module) * Version: 5.x, 6.x * Date: 2009-June-25 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting
-------- DESCRIPTION ---------------------------------------------------------
The Links Package is a multi-module set for managing URL links in a master directory, and attaching them in various ways to your content pages. The Links Related module of the Links Package does not properly escape user input used as the title on certain pages. A user with privileges to create content could attempt a cross site scripting [1] (XSS) attack which may lead to the user gaining full administrative access. -------- VERSIONS AFFECTED ---------------------------------------------------
* Links Package for Drupal 5.x prior to Links Package 5.x-1.13 * Links Package for Drupal 6.x prior to Links Package 6.x-1.2
Drupal core is not affected. If you do not use the contributed Links Package, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Upgrade to the latest version: * If you use Links Package for Drupal 5.x upgrade to Links Package 5.x-1.13 [2] * If you use Links Packsge for Drupal 6.x upgrade to Links Package 6.x-1.2 [3]
See also the Links Package project page [4]. -------- REPORTED BY ---------------------------------------------------------
Stéphane Corlosquet [5] of the Drupal Security Team [6]. -------- FIXED BY ------------------------------------------------------------
Scott Courtney [7], the project maintainer. -------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/501356 [3] http://drupal.org/node/501360 [4] http://drupal.org/project/links [5] http://drupal.org/user/52142 [6] http://drupal.org/security-team [7] http://drupal.org/user/9184