[Security-news] SA-CONTRIB-2009-033 - Quiz - Cross site scripting

3 Jun 2009


      * Advisory ID: DRUPAL-SA-CONTRIB-2009-033
  * Project: Quiz (third-party module)
  * Version: 5.x, 6.x
  * Date: 2009-June-03
  * Security risk: Less critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting
-------- DESCRIPTION  
---------------------------------------------------------
The Quiz module provides tools for authoring and administering quizzes
through Drupal. A quiz is given as a series of questions, with only one
question appearing per page. Scores are then stored in the database. The
module does not properly escape user-supplied data on some pages, allowing
malicious users to insert arbitrary HTML and script code into these pages. A
user who has access to create quizzes or quiz questions could attempt a cross
site scripting [1] (XSS) attack which may lead to the user gaining full
administrative access.
-------- VERSIONS AFFECTED  
---------------------------------------------------
* All versions of Quiz for Drupal 5.x
  * Quiz 6.x-2.x prior to 6.x-2.2
  * Quiz 6.x-3.x prior to 6.x-3.0
Drupal core is not affected. If you do not use the contributed Quiz module,
there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------
If you use Drupal 5.x, uninstall the Quiz module which has been marked
unmaintained for six months or upgrade to Quiz for Drupal 6.x. If you use
Drupal 6.x, install the latest version:
  * If you use Email Verification 6.x-2.x upgrade to Quiz 6.x-2.2 [2]
  * If you use Email Verification 6.x-3.x upgrade to Quiz 6.x-3.0 [3]
See also the Quiz [4] project page.
-------- REPORTED BY  
---------------------------------------------------------
Matt Butcher [5] and Stéphane Corlosquet [6] of the Drupal Security Team.
-------- FIXED BY  
------------------------------------------------------------
Matt Butcher [7], sivaji [8] and Stéphane Corlosquet [9] of the Drupal
Security Team.
-------- CONTACT  
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/481270
[3] http://drupal.org/node/481274
[4] http://drupal.org/project/quiz
[5] http://drupal.org/user/201798
[6] http://drupal.org/user/52142
[7] http://drupal.org/user/201798
[8] http://drupal.org/user/328724
[9] http://drupal.org/user/52142

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

[Security-news] SA-CONTRIB-2009-033 - Quiz - Cross site scripting