View online: http://drupal.org/node/1853214
* Advisory ID: DRUPAL-SA-CONTRIB-2012-169 * Project: Email Field [1] (third-party module) * Version: 6.x * Date: 2012-11-28 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Access bypass
-------- DESCRIPTION ---------------------------------------------------------
The email module provides a field type (CCK / FieldAPI) for storing email addresses and a formatter to output the email address as a link to a contact form. The contact form formatter allows a site visitor to email the stored address without letting them see what that e-mail address is. .... Access bypass
The module didn't sufficiently check access for the contact form page, allowing a site visitor to email the stored address on the entity without having access to the field itself. This vulnerability is mitigated by needing to to use a field permission module (other than CCK's Content Permissions) with those email fields and need to have the field contact field formatter configured for either full or teaser display modes.
CVE: Requested
.... Cross Site Scripting
Furthermore the mailto link wasn't sanitized when output to the screen. This vulnerability is mitigated by the fact that Drupal's form validation for emails prevents malicious emails and would need to be bypassed to exploit this vulnerability, e.g. by importing data from external sources and not doing validation.
CVE: Requested
-------- VERSIONS AFFECTED ---------------------------------------------------
* Email Field 6.x-1.x versions prior to 6.x-1.3.
Drupal core is not affected. If you do not use the contributed Email Field [3] module, there is nothing you need to do.
-------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use the Email Field module for Drupal 6.x, upgrade to Email 6.x-1.4 [4]
Also see the Email Field [5] project page.
-------- REPORTED BY ---------------------------------------------------------
* Fox (hefox) [6]
-------- FIXED BY ------------------------------------------------------------
* Matthias Hutterer [7] the module maintainer
-------- COORDINATED BY ------------------------------------------------------
* Fox (hefox) [8] of the Drupal Security Team * Greg Knaddison [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION ----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13].
[1] http://drupal.org/project/email [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/email [4] http://drupal.org/node/1852612 [5] http://drupal.org/project/email [6] http://drupal.org/user/426416 [7] http://drupal.org/user/59747 [8] http://drupal.org/user/426416 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration