* Advisory ID: DRUPAL-SA-CONTRIB-2009-053 * Project: Ajax Table (third-party module) * Version: 5.x * Date: 2009-Aug-26 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION ---------------------------------------------------------
The Ajax Table module allows one to create AJAX-refreshable tables by supplying a few parameters. .... Access bypass
The module lacks access checks, which makes it possible for any user to delete arbitrary users and nodes. The module contains a number of security issues. .... Cross site scripting
The module doesn't escape certain user supplied values. Malicious users can use this to insert arbitrary HTML and script content into pages. Such a cross site scripting [1] attack may even lead to the malicious user gaining administrator access. -------- VERSIONS AFFECTED ---------------------------------------------------
* Ajax Table for Drupal 5.x
Drupal core is not affected. If you do not use the contributed Ajax Table module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
There is no solution available. Please disable the module and remove it from your server. -------- REPORTED BY ---------------------------------------------------------
Franz Heinzmann [2] -------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/user/21850