SA-CONTRIB-2010-102 - Category tokens - Cross Site Scripting - Security-news

10 Nov 2010


      * Advisory ID: DRUPAL-SA-CONTRIB-2010-102
  * Project: Category tokens (third-party module)
  * Version: 6.x
  * Date: 2010-November-10
  * Security risk: Less critical
  * Exploitable from: Remote
  * Vulnerability: Cross-Site Scripting
-------- DESCRIPTION  
---------------------------------------------------------
The Category tokens module exposes additional tokens for the first and last
terms related to a node for each vocabulary. The module does not sanitize the
vocabulary names when displayed in token help, leading to a Cross-Site
Scripting (XSS [1]) vulnerability that may lead to a malicious user gaining
full administrative access. This vulnerability is mitigated by the fact that
user must have the "administer taxonomy" permission in order to create and
edit vocabularies and enter the XSS.
-------- VERSIONS AFFECTED  
---------------------------------------------------
* Category tokens module for Drupal 6.x versions prior to 6.x-1.1.
Drupal core is not affected. If you do not use the contributed Category
tokens [2] module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------
Install the latest version:
  * If you use the Category tokens module for Drupal 6.x upgrade to Category
    tokens 6.x-1.1 [3]
See also the Category tokens project page [4].
-------- REPORTED BY  
---------------------------------------------------------
* Dave Reid [5], Drupal Security Team
-------- FIXED BY  
------------------------------------------------------------
* Dave Reid [6], Drupal Security Team
  * scheepers de bruin [7], module maintainer
-------- CONTACT  
-------------------------------------------------------------
The Drupal security team [8] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/category_tokens
[3] http://drupal.org/node/939848
[4] http://drupal.org/project/category_tokens
[5] http://drupal.org/user/53892
[6] http://drupal.org/user/53892
[7] http://drupal.org/user/162354
[8] http://drupal.org/security-team