* Advisory ID: DRUPAL-SA-CONTRIB-2011-023 * Project: Prepopulate (third-party module) * Version: 6.x * Date: 2011-June-08 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Multiple -------- DESCRIPTION --------------------------------------------------------- The Prepopulate module enables pre-populating forms in Drupal using the $_REQUEST vairable. The module does not adequately validate user input leading to an cross-site scripting (XSS) possibility in certain circumstances. Users privileged to use forms with certain form fields can insert arbitrary HTML and script code into the rendered form. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting [1] (XSS). The module does not properly protect the forms against Cross-site Request Forgeries (CSRF), allowing a malicious user to trick an authorized user into submitting unintended values on a form. Wikipedia has more information about cross-site request forgery [2]. -------- VERSIONS AFFECTED --------------------------------------------------- * Prepopulate module for Drupal 6.x versions prior to 6.x-2.2 Drupal core is not affected. If you do not use the contributed Prepopulate [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Prepopulate module for Drupal 6.x upgrade to Prepopulate 6.x-2.2 [4] -------- REPORTED BY --------------------------------------------------------- * XSS by Ezra B. Gildesgame (ezra-g) [5] * CSRF by David Rothstein (David_Rothstein), of the Drupal security team [6] -------- FIXED BY ------------------------------------------------------------ * XSS by Ezra B. Gildesgame (ezra-g) [7] * CSRF by Joshua Brauer (jbrauer), Module maintainer [8] -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact. Learn more about the team and their policies [9], writing secure code for Drupal [10], and secure configuration [11] of your site. [1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://en.wikipedia.org/wiki/Cross-site_request_forgery [3] http://drupal.org/project/prepopulate [4] http://drupal.org/node/1182972 [5] https://drupal.org/user/69959 [6] http://drupal.org/user/124982 [7] https://drupal.org/user/69959 [8] http://drupal.org/user/12363 [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration