SA-CONTRIB-2010-015 - Translation Management - Multiple Vulnerabilities - Security-news

30 Mar 2011


      * Advisory ID: DRUPAL-SA-CONTRIB-2011-015
  * Project: Translation Management (third-party module)
  * Version: 6.x
  * Date: 2011-March-30
  * Security risk: Critical (definition of risk levels) [1]
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting, Cross Site Request Forgeries, SQL
    Injection
-------- DESCRIPTION  
---------------------------------------------------------
This Translation Management module helps to manage the process of translating
content on your site. The module has several vulnerabilities. It doesn't
sufficiently escape user text when printed to the browser nor when used in
database queries resulting in Cross Site Scripting (XSS) and SQL Injection
vulnerabilities. It doesn't use the form API nor Drupal's token system to
protect against Cross Site Request Forgeries (CSRF).
-------- VERSIONS AFFECTED  
---------------------------------------------------
* Translation Management versions prior to 6.x-1.21
Drupal core is not affected. If you do not use the contributed Translation
Management [2] module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------
Install the latest version:
  * If you use the Translation Management module for Drupal 6.x upgrade to
    6.x-1.22 [3]
See also the Translation Management [4] project page.
-------- REPORTED BY  
---------------------------------------------------------
* Dave Reid [5] of the Drupal Security Team
  * Greg Dunlap [6]
-------- FIXED BY  
------------------------------------------------------------
* Bruce Pearson [7] the module maintainer
-------- CONTACT AND MORE INFORMATION  
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact. Learn more about the team and
their policies [8], writing secure code for Drupal [9], and secure
configuration [10] of your site.
[1] http://drupal.org/security-team/risk-levels
[2] http://drupal.org/project/translation_management
[3] http://drupal.org/node/1108848
[4] http://drupal.org/project/translation_management
[5] http://drupal.org/user/53892
[6] http://drupal.org/user/128537
[7] http://drupal.org/user/415674
[8] http://drupal.org/security-team
[9] http://drupal.org/writing-secure-code
[10] http://drupal.org/security/secure-configuration