[Security-news] SA-CONTRIB-2009-052 - Printer, e-mail and PDF versions - Cross site scripting
security-news at drupal.org
security-news at drupal.org
Thu Aug 20 06:32:41 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-052
* Project: Printer, e-mail and PDF versions (Print) (third-party modules)
* Version: 5.x, 6.x
* Date: 2009-August-19
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Printer, e-mail and PDF versions ("Print") module provides
printer-friendly versions of content. The module doesn't properly escape a
number of user-supplied variables before output. A user who has the
permission to add content could attempt a cross site scripting [1] (XSS)
attack which may in some cases lead to the user gaining full administrative
access.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Print versions 6.x prior to 6.x-1.8
* Print versions 5.x prior to 5.x-4.8
Drupal core is not affected. If you do not use the contributed Print module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Print module on Drupal 6.x upgrade to 6.x-1.8 [2]
* If you use the Print module on Drupal 5.x upgrade to 5.x-4.8 [3]
See also the Print module project page [4].
-------- REPORTED BY
---------------------------------------------------------
Justin Klein Keane [5].
-------- FIXED BY
------------------------------------------------------------
João Ventura [6], the "Printer, e-mail and PDF versions" project maintainer,
with assistance from Ben Jeavons [7] of the Drupal Security Team [8]
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/554328
[3] http://drupal.org/node/554326
[4] http://drupal.org/project/print
[5] http://drupal.org/user/302225
[6] http://drupal.org/user/122464
[7] http://drupal.org/user/91990
[8] http://drupal.org/security-team
More information about the Security-news
mailing list