* Advisory ID: DRUPAL-SA-CONTRIB-2009-062 * Project: Devel (third-party module) * Version: 5.x, 6.x * Date: 2009-September-23 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Devel module contains many useful developer functions, such as a query log and the display of variables. When using the variable editor, the module does not properly sanitize the output of the variable name before display, leading to a cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Devel versions 6.x prior to 6.x-1.18 * Devel versions 5.x prior to 5.x-1.2 Drupal core is not affected. If you do not use the contributed Devel module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Devel for Drupal 6.x upgrade to Devel 6.x-1.18 [2] * If you use the Devel for Drupal 5.x upgrade to Devel 5.x-1.2 [3] See also the Devel module project page [4]. -------- REPORTED BY --------------------------------------------------------- Stéphane Corlosquet [5] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ dmitrig01 [6] of the Drupal Security Team -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/585982 [3] http://drupal.org/node/585988 [4] http://drupal.org/project/devel [5] http://drupal.org/user/52142 [6] http://drupal.org/user/47566