* Advisory ID: DRUPAL-SA-CONTRIB-2011-023 * Project: Prepopulate (third-party module) * Version: 6.x * Date: 2011-June-08 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Multiple
-------- DESCRIPTION ---------------------------------------------------------
The Prepopulate module enables pre-populating forms in Drupal using the $_REQUEST vairable.
The module does not adequately validate user input leading to an cross-site scripting (XSS) possibility in certain circumstances. Users privileged to use forms with certain form fields can insert arbitrary HTML and script code into the rendered form. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting [1] (XSS).
The module does not properly protect the forms against Cross-site Request Forgeries (CSRF), allowing a malicious user to trick an authorized user into submitting unintended values on a form. Wikipedia has more information about cross-site request forgery [2].
-------- VERSIONS AFFECTED ---------------------------------------------------
* Prepopulate module for Drupal 6.x versions prior to 6.x-2.2
Drupal core is not affected. If you do not use the contributed Prepopulate [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Install the latest version: * If you use the Prepopulate module for Drupal 6.x upgrade to Prepopulate 6.x-2.2 [4]
-------- REPORTED BY ---------------------------------------------------------
* XSS by Ezra B. Gildesgame (ezra-g) [5] * CSRF by David Rothstein (David_Rothstein), of the Drupal security team [6]
-------- FIXED BY ------------------------------------------------------------
* XSS by Ezra B. Gildesgame (ezra-g) [7] * CSRF by Joshua Brauer (jbrauer), Module maintainer [8]
-------- CONTACT AND MORE INFORMATION ----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact. Learn more about the team and their policies [9], writing secure code for Drupal [10], and secure configuration [11] of your site.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://en.wikipedia.org/wiki/Cross-site_request_forgery [3] http://drupal.org/project/prepopulate [4] http://drupal.org/node/1182972 [5] https://drupal.org/user/69959 [6] http://drupal.org/user/124982 [7] https://drupal.org/user/69959 [8] http://drupal.org/user/12363 [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration