SA-CONTRIB-2009-085 - Insert Node - Cross Site Scripting - Security-news

28 Oct 2009


      * Advisory ID: DRUPAL-SA-CONTRIB-2009-085
  * Project: Insert Node (third-party module)
  * Version: 5.x
  * Date: 2009-October-28
  * Security risk: Moderately Critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting
-------- DESCRIPTION  
---------------------------------------------------------
The Insert Node module provides an input filter that enables a node to be
inserted within the body field of another node. The module fails to sanitize
the inserted node, making it vulnerable to a cross site scripting (XSS [1])
attack.
-------- VERSIONS AFFECTED  
---------------------------------------------------
* Insert Node module versions for Drupal 5.x prior to Insert Node 5.x-1.2
    [2]
Drupal core is not affected. If you do not use the contributed Insert Node
[3] module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------
Install the latest version.
  * If you use the Insert Node module for Drupal 6.x there is nothing you need
    to do.
  * If you use the Insert Node module for Drupal 5.x upgrade to Insert Node
    5.x-1.2 [4]
-------- REPORTED BY  
---------------------------------------------------------
* Konstantin Käfer [5].
-------- FIXED BY  
------------------------------------------------------------
* Mark Burton [6] and Alexis Wilke [7], the module maintainers.
-------- CONTACT  
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/en/Cross_Site_Scripting
[2] http://drupal.org/node/616546
[3] http://drupal.org/project/insertnode
[4] http://drupal.org/node/616546
[5] http://drupal.org/user/14572
[6] http://drupal.org/user/114447
[7] http://drupal.org/user/356197