[Security-news] SA-CONTRIB-2009-042 - Submitted By - Cross Site Scripting
security-news at drupal.org
security-news at drupal.org
Wed Jul 15 19:26:31 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-042
* Project: Submitted By (third-party module)
* Version: 6.x
* Date: 2009-July-15
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Submitted By is a module to let you control the format of the "Submitted by"
information on your content per content type. This module does not properly
escape user input used in building the string to display the "submitted by"
text. Only administrators with the 'administer content types' permission can
enter this text. A user with this administrative privileges could attempt a
cross site scripting [1] (XSS) attack which may lead to the user gaining full
administrative access. In general, the permission "administer content types"
is comparable in scope to the "administer site configuration" permission.
Only grant this permission to trusted site administrators. See:
http://drupal.org/node/372836
-------- VERSIONS AFFECTED
---------------------------------------------------
* Submitted By for Drupal 6.x prior to 6.x-1.3
Drupal core is not affected. If you do not use the contributed Submitted By
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Upgrade to the latest version:
* If you use Submitted By for Drupal 6.x upgrade to Submitted By 6.x-1.3 [2]
See also the Submitted By project page [3].
-------- REPORTED BY
---------------------------------------------------------
Nancy Wichmann [4], the project maintainer.
-------- FIXED BY
------------------------------------------------------------
Nancy Wichmann [5], the project maintainer.
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/519246
[3] http://drupal.org/project/submitted_by
[4] http://drupal.org/user/101412
[5] http://drupal.org/user/101412
More information about the Security-news
mailing list