* Advisory ID: DRUPAL-SA-CONTRIB-2009-114 * Project: Automated Logout (third-party module) * Version: 6.x * Date: 2009-December-23 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting
-------- DESCRIPTION ---------------------------------------------------------
This module provides a site administrator the ability to log users out after a specified time of inactivity. The module does not sanitize some of the user-supplied data before displaying it, leading to a cross-site scripting (XSS [1]) vulnerability. Users who can take advantage of this vulnerability could gain administrator access to a site. This vulnerability is mitigated by the fact that the attacker must have a role with the 'administer autologout' permission. -------- VERSIONS AFFECTED ---------------------------------------------------
* Automated Logout module 6.x-1.6 and prior versions on the 6.x-1.x branch * Automated Logout module 6.x-2.2 and prior versions on the 6.x-2.x branch
Note that the Drupal 5 version of the Automated Logout module is also affected, but the attacker must have a role with the 'administer site configuration' permission. The 'administer site configuration' permission is inherently unsafe and should only be granted to trusted users; therefore, this issue is not considered a security vulnerability for Drupal 5 (see http://drupal.org/node/475848). Drupal core is not affected. If you do not use the contributed Automated Logout [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Install the latest version: * If you use the Automated Logout module for Drupal 6.x, upgrade to either Automated Logout 6.x-1.7 [3] or Automated Logout 6.x-2.3 [4]
See also the Automated Logout module project page [5]. -------- REPORTED BY ---------------------------------------------------------
mr.baileys [6] -------- FIXED BY ------------------------------------------------------------
jvandervort [7], one of the Automated Logout module maintainers -------- CONTACT -------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/project/autologout [3] http://drupal.org/node/667084 [4] http://drupal.org/node/667086 [5] http://drupal.org/project/autologout [6] http://drupal.org/user/383424 [7] http://drupal.org/user/35604