[Security-news] SA-CONTRIB-2009-114 - Automated Logout - Cross Site Scripting
security-news at drupal.org
security-news at drupal.org
Thu Dec 24 03:48:51 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-114
* Project: Automated Logout (third-party module)
* Version: 6.x
* Date: 2009-December-23
* Security risk: Moderately Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module provides a site administrator the ability to log users out after
a specified time of inactivity. The module does not sanitize some of the
user-supplied data before displaying it, leading to a cross-site scripting
(XSS [1]) vulnerability. Users who can take advantage of this vulnerability
could gain administrator access to a site. This vulnerability is mitigated by
the fact that the attacker must have a role with the 'administer autologout'
permission.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Automated Logout module 6.x-1.6 and prior versions on the 6.x-1.x branch
* Automated Logout module 6.x-2.2 and prior versions on the 6.x-2.x branch
Note that the Drupal 5 version of the Automated Logout module is also
affected, but the attacker must have a role with the 'administer site
configuration' permission. The 'administer site configuration' permission is
inherently unsafe and should only be granted to trusted users; therefore,
this issue is not considered a security vulnerability for Drupal 5 (see
http://drupal.org/node/475848). Drupal core is not affected. If you do not
use the contributed Automated Logout [2] module, there is nothing you need to
do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Automated Logout module for Drupal 6.x, upgrade to either
Automated Logout 6.x-1.7 [3] or Automated Logout 6.x-2.3 [4]
See also the Automated Logout module project page [5].
-------- REPORTED BY
---------------------------------------------------------
mr.baileys [6]
-------- FIXED BY
------------------------------------------------------------
jvandervort [7], one of the Automated Logout module maintainers
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/autologout
[3] http://drupal.org/node/667084
[4] http://drupal.org/node/667086
[5] http://drupal.org/project/autologout
[6] http://drupal.org/user/383424
[7] http://drupal.org/user/35604
More information about the Security-news
mailing list