* Advisory ID: DRUPAL-SA-CONTRIB-2009-063 * Project: XML sitemap (third-party module) * Version: 5.x * Date: 2009-September-30 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting
-------- DESCRIPTION ---------------------------------------------------------
The XML sitemap module creates a sitemap that conforms to the sitemaps.org specification. It also allows users with the 'administer site configuration' permission to add additional custom links to be included in the sitemap. In the additional links interface, the module does not properly sanitize the output of the link paths before display, leading to a cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED ---------------------------------------------------
* XML sitemap versions 5.x prior to 5.x-1.7
Drupal core is not affected. If you do not use the contributed XML sitemap module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Install the latest version: * If you use the XML sitemap for Drupal 5.x upgrade to XML sitemap 5.x-1.7 [2]
See also the XML sitemap module project page [3]. -------- IMPORTANT NOTES -----------------------------------------------------
This vulnerability was publicly disclosed. If you find a security vulnerability, please contact the Security team rather than posting a public issue. If you are a module maintainer, do not commit any security-related code fixes unless you have coordinated with the Security team. -------- REPORTED BY ---------------------------------------------------------
This vulnerability was publicly disclosed. -------- FIXED BY ------------------------------------------------------------
Dave Reid [4] of the Drupal Security Team and module co-maintainer. -------- CONTACT -------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/591732 [3] http://drupal.org/project/xmlsitemap [4] http://drupal.org/user/53892