* Advisory ID: DRUPAL-SA-CONTRIB-2009-042 * Project: Submitted By (third-party module) * Version: 6.x * Date: 2009-July-15 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting
-------- DESCRIPTION ---------------------------------------------------------
Submitted By is a module to let you control the format of the "Submitted by" information on your content per content type. This module does not properly escape user input used in building the string to display the "submitted by" text. Only administrators with the 'administer content types' permission can enter this text. A user with this administrative privileges could attempt a cross site scripting [1] (XSS) attack which may lead to the user gaining full administrative access. In general, the permission "administer content types" is comparable in scope to the "administer site configuration" permission. Only grant this permission to trusted site administrators. See: http://drupal.org/node/372836 -------- VERSIONS AFFECTED ---------------------------------------------------
* Submitted By for Drupal 6.x prior to 6.x-1.3
Drupal core is not affected. If you do not use the contributed Submitted By module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Upgrade to the latest version: * If you use Submitted By for Drupal 6.x upgrade to Submitted By 6.x-1.3 [2]
See also the Submitted By project page [3]. -------- REPORTED BY ---------------------------------------------------------
Nancy Wichmann [4], the project maintainer. -------- FIXED BY ------------------------------------------------------------
Nancy Wichmann [5], the project maintainer. -------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/519246 [3] http://drupal.org/project/submitted_by [4] http://drupal.org/user/101412 [5] http://drupal.org/user/101412