SA-CONTRIB-2010-022 - Internationalization - Arbitrary code execution - Security-news

3 Mar 2010


      * Advisory ID: DRUPAL-SA-CONTRIB-2010-022
  * Project: Internationalization (third-party module)
  * Version: 6.x-1.x 5.x-2.x
  * Date: 2010-March-03
  * Security risk: Highly Critical
  * Exploitable from: Remote
  * Vulnerability: Arbitrary code execution
-------- DESCRIPTION  
---------------------------------------------------------
The Internationalization module enables translation of user defined strings
using Drupal's locale interface. Some of these user defined strings have
Input formats associated with them. As translators can translate texts before
they go through the Input filters, using some filters like the PHP filter for
such strings allows translators to add arbitrary PHP code as part of the
translated string, which will be executed by the filters. Other filters
besides PHP filter may be dangerous too and as a general rule translators
shouldn't be allowed to translate text with Input filters they're not allowed
to use.
-------- VERSIONS AFFECTED  
---------------------------------------------------
* Internationalization 6.x-2.x prior to 6.x-1.3 [1]
  * Internationalization 5.x-2.x prior to 5.x-2.6 [2]
Drupal core is not affected. If you do not use the contributed
Internationalization module, there is nothing you need to do. Also if you are
not using Internationalization's 'String translation' (i18nstrings) module
together with 'Views translation' (i18nviews) or 'Block translation'
(i18nblocks) you don't need to update, though it is advisable to run the
latest version.
-------- SOLUTION  
------------------------------------------------------------
Install the latest version:
  * If you use Internationalization for Drupal 6.x upgrade to
    Internationalization 6.x-1.3 [3] and follow these steps:
     * Visit the /Administer > Site configuration > Languages > Configure >
       String translation/ page
     * Check the Input formats that are safe for translators and the Safe text
       groups if you are using other contributed modules that rely on
       Internationalization's String translation features.
       Note: Checking all of them will cause the module to work as previous
       versions overriding all security checks, which may be useful if you are
       not using dangerous Input filters or translators are trusted users.
     * Go to /Administer > Site building > Translate interface > Refresh/ and
       refresh strings for all the text groups. This will remove dangerous
       texts from the translation system. They cannot be translated anymore.
* If you use Internationalization for Drupal 5.x upgrade to
    Internationalization 5.x-2.6 [4]. The new version will just drop the
    'Views translation' feature. There are no plans to update this feature to
    work safely with Internationalization 5.x
See also the Internationalization project page [5].
-------- REPORTED BY  
---------------------------------------------------------
* sinasquax [6]
  * Antonio Ospite [7]
-------- FIXED BY  
------------------------------------------------------------
* Jose Reyero [8], the module maintainer.
-------- CONTACT  
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact
[1] http://drupal.org/node/731590
[2] http://drupal.org/node/731586
[3] http://drupal.org/node/731590
[4] http://drupal.org/node/731586
[5] http://drupal.org/project/i18n
[6] http://drupal.org/user/460020
[7] http://drupal.org/user/234884
[8] http://drupal.org/user/4299