* Advisory ID: DRUPAL-SA-CONTRIB-2010-024 * Project: eTracker (third-party module) * Version: 6.x-1.1 * Date: 2010-March-03 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting
-------- DESCRIPTION ---------------------------------------------------------
The eTracker module provides integration of a Drupal site with the eTracker web traffic analysis service and takes the current URL as a parameter to track what pages have been visited. The URL from the browser is forwarded to JavaScript in the current page, and because the URL wasn't sanitised, it could have allowed cross-site scripting attacks by appending malicious code to the URL. -------- VERSIONS AFFECTED ---------------------------------------------------
* eTracker prior to 6.x-1.2.
Drupal core is not affected. If you do not use the contributed eTracker module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Install the latest version: * If you use eTracker for Drupal 6.x upgrade to eTracker 6.x-1.2 [1]
See also the eTracker project page [2]. -------- REPORTED BY ---------------------------------------------------------
* Andreas Harder
-------- FIXED BY ------------------------------------------------------------
* Jürgen Haas (jurgenhaas [3]), the module maintainer.
-------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://drupal.org/node/731018 [2] http://drupal.org/project/eTracker [3] http://drupal.org/user/168924