* Advisory ID: DRUPAL-SA-CONTRIB-2009-035 * Project: Booktree (third-party module) * Version: 5.x, 6.x * Date: 2009-June-10 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting

-------- DESCRIPTION ---------------------------------------------------------

Booktree takes as input a series of Book nodes and create a tree-like structure using Book node relationships.The Booktree module does not properly escape node title and node body on tree root pages. A user with privileges to create book pages could attempt a cross site scripting [1] (XSS) attack which may lead to the user gaining full administrative access. -------- VERSIONS AFFECTED ---------------------------------------------------

* Booktree for Drupal 5.x prior to Booktree 5.x-7.3 * Booktree for Drupal 6.x prior to Booktree 6.x-1.1

Drupal core is not affected. If you do not use the contributed Booktree module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------

Upgrade to the latest version: * If you use Booktree for Drupal 5.x upgrade to Booktree 5.x-7.3 [2] * If you use Booktree for Drupal 6.x upgrade to Booktree 6.x-1.1 [3]

See also the Booktree project page [4]. -------- REPORTED BY ---------------------------------------------------------

Stéphane Corlosquet [5] of the Drupal Security Team [6]. -------- FIXED BY ------------------------------------------------------------

Uccio [7]. -------- CONTACT -------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/487812 [3] http://drupal.org/node/487810 [4] http://drupal.org/project/booktree [5] http://drupal.org/user/52142 [6] http://drupal.org/security-team [7] http://drupal.org/user/32370