[Security-news] SA-CONTRIB-2009-019 - Localization client - Cross site scripting
security-news at drupal.org
security-news at drupal.org
Wed Apr 15 20:08:43 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-019
* Project: Localization client (third-party module)
* Versions: 5.x, 6.x
* Date: 2009-April-15
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross-site scripting (XSS)
-------- DESCRIPTION ---------------------------------------------------------
The Localization client module allows you to translate the interface of your
Drupal site from within each page as you go. When displaying translatable
strings and their completed translations, the module does not escape the
data. If used to translate the Drupal core interface, this is not a problem,
since no user input is involved. However, when used with modules such as the
Internationalization module suite or Views, user provided data is translated,
making the module vulnerable to cross site scripting [1] (XSS). This enables
malicious users to insert arbitrary HTML and scripts into certain pages. Such
an attack against sufficiently privileged users may lead to adminstrator
access to the site.
-------- VERSIONS AFFECTED ---------------------------------------------------
* Versions of Localization client for Drupal 5.x prior to 5.x-1.2
* Versions of Localization client for Drupal 6.x prior to 6.x-1.7
Drupal core is not affected. If you do not use the Localization client
module, there is nothing you need to do.
-------- SOLUTION ------------------------------------------------------------
Install the latest version.
* If you use Localization client on Drupal 5, upgrade to Localization client
5.x-1.2 [2]
* If you use Localization client on Drupal 6, upgrade to Localization client
6.x-1.7 [3]
-------- REPORTED BY ---------------------------------------------------------
Grégoire Moreau
-------- FIXED BY ------------------------------------------------------------
Roger Lopez, Alexander Hass, Bálint Csuthy, Jose A. Reyero and Gábor Hojtsy
-------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact [4] and by selecting the security
issues category.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/434694
[3] http://drupal.org/node/434688
[4] http://drupal.org/contact
More information about the Security-news
mailing list