* Advisory ID: DRUPAL-SA-CONTRIB-2009-103 * Project: Strongarm (third-party module) * Version: 6.x * Date: 2009 November 18 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting

-------- DESCRIPTION ---------------------------------------------------------

The Strongarm module enables other modules to enforce variable settings programmatically. It can also be used to override any of these variables, and lets the administrator see which variables have been overridden, along with their current values. When using the settings page to see overridden variables, the value field is not sanitized before being displayed, leading to a Cross Site Scripting (XSS [1]) vulnerability. -------- VERSIONS AFFECTED ---------------------------------------------------

* Strongarm module for Drupal 6.x prior to Strongarm 6.x-1.1 [2]

Drupal core is not affected. If you do not use the contributed Strongarm [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------

Upgrade to the latest version: * If you use Strongarm module for Drupal 6.x upgrade to version 6.x-1.1 [4]

-------- REPORTED BY ---------------------------------------------------------

* Reported by bengtan [5]

-------- FIXED BY ------------------------------------------------------------

* Fixed by jmiccolis [6], the module maintainer

-------- CONTACT -------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/636474 [3] http://drupal.org/project/strongarm [4] http://drupal.org/node/636474 [5] http://drupal.org/user/132729 [6] http://drupal.org/user/31731