* Advisory ID: DRUPAL-SA-CONTRIB-2009-073 * Project: Printer, e-mail and PDF versions (third-party module) * Version: 5.x, 6.x * Date: 2009-October-14 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION ---------------------------------------------------------
The Printer, e-mail and PDF versions [1] ("print") module provides printer-friendly versions of content. When displaying the list of links in a page, the module does not properly escape this data, leading to a cross site scripting [2] (XSS) vulnerability. In addition, the "Send by e-mail" sub-module does not properly check for access permissions before displaying the "Send to friend" form, and may display the page title for pages to which the user does not have access (usually as they are unpublished or unauthorized for his role), even though the user is not actually allowed to send them by e-mail. -------- VERSIONS AFFECTED ---------------------------------------------------
* Printer, e-mail and PDF versions 6.x prior to 6.x-1.9 * Printer, e-mail and PDF versions 5.x prior to 5.x-4.9
Drupal core is not affected. If you do not use the contributed Printer, e-mail and PDF versions module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Install the latest version: * If you use Printer, e-mail and PDF versions for Drupal 6.x upgrade to Printer, e-mail and PDF versions 6.x-1.9 [3] * If you use Printer, e-mail and PDF versions for Drupal 5.x upgrade to Printer, e-mail and PDF versions 5.x-4.9 [4]
Or Alternatively: Disable the "Printer-friendly URLs list" in 'admin/settings/print/common' and disable the "Send by e-mail" ("print_mail") module. See also the Printer, e-mail and PDF versions project page [5]. -------- REPORTED BY: --------------------------------------------------------
mcarbone [6] -------- FIXED BY ------------------------------------------------------------
jcnventura [7], the module maintainer -------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. -------- DESCRIPTION ---------------------------------------------------------
The Printer, e-mail and PDF versions [8] ("print") module provides printer-friendly versions of content. When displaying the list of links in a page, the module does not properly escape this data, leading to a cross site scripting [9] (XSS) vulnerability. In addition, the "Send by e-mail" sub-module does not properly check for access permissions before displaying the "Send to friend" form, and may display the page title for pages to which the user does not have access (usually as they are unpublished or unauthorized for his role), even though the user is not actually allowed to send them by e-mail. -------- VERSIONS AFFECTED ---------------------------------------------------
* Printer, e-mail and PDF versions 6.x prior to 6.x-1.9 * Printer, e-mail and PDF versions 5.x prior to 5.x-4.9
Drupal core is not affected. If you do not use the contributed Printer, e-mail and PDF versions module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Install the latest version: * If you use Printer, e-mail and PDF versions for Drupal 6.x upgrade to Printer, e-mail and PDF versions 6.x-1.9 [10] * If you use Printer, e-mail and PDF versions for Drupal 5.x upgrade to Printer, e-mail and PDF versions 5.x-4.9 [11] Or Alternatively: Disable the "Printer-friendly URLs list" in 'admin/settings/print/common' and disable the "Send by e-mail" ("print_mail") module. See also the Printer, e-mail and PDF versions project page [12]. -------- REPORTED BY: --------------------------------------------------------
mcarbone [13] -------- FIXED BY ------------------------------------------------------------
jcnventura [14], the module maintainer -------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://drupal.org/project/print [2] http://en.wikipedia.org/wiki/Cross-site_scripting [3] http://drupal.org/node/604806 [4] http://drupal.org/node/604804 [5] http://drupal.org/project/print [6] http://drupal.org/user/68488 [7] http://drupal.org/user/122464 [8] [9] http://en.wikipedia.org/wiki/Cross-site_scripting [10] http://drupal.org/node/604806 [11] http://drupal.org/node/604804 [12] http://drupal.org/project/print [13] http://drupal.org/user/68488 [14] http://drupal.org/user/122464