SA-CONTRIB-2009-052 - Printer, e-mail and PDF versions - Cross site scripting - Security-news

20 Aug 2009


      * Advisory ID: DRUPAL-SA-CONTRIB-2009-052
  * Project: Printer, e-mail and PDF versions (Print) (third-party modules)
  * Version: 5.x, 6.x
  * Date: 2009-August-19
  * Security risk: Less critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting
-------- DESCRIPTION  
---------------------------------------------------------
The Printer, e-mail and PDF versions ("Print") module provides
printer-friendly versions of content. The module doesn't properly escape a
number of user-supplied variables before output. A user who has the
permission to add content could attempt a cross site scripting [1] (XSS)
attack which may in some cases lead to the user gaining full administrative
access.
-------- VERSIONS AFFECTED  
---------------------------------------------------
* Print versions 6.x prior to 6.x-1.8
  * Print versions 5.x prior to 5.x-4.8
Drupal core is not affected. If you do not use the contributed Print module,
there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------
Install the latest version:
  * If you use the Print module on Drupal 6.x upgrade to 6.x-1.8 [2]
  * If you use the Print module on Drupal 5.x upgrade to 5.x-4.8 [3]
See also the Print module project page [4].
-------- REPORTED BY  
---------------------------------------------------------
Justin Klein Keane [5].
-------- FIXED BY  
------------------------------------------------------------
João Ventura [6], the "Printer, e-mail and PDF versions" project maintainer,
with assistance from Ben Jeavons [7] of the Drupal Security Team [8]
-------- CONTACT  
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/554328
[3] http://drupal.org/node/554326
[4] http://drupal.org/project/print
[5] http://drupal.org/user/302225
[6] http://drupal.org/user/122464
[7] http://drupal.org/user/91990
[8] http://drupal.org/security-team