[Security-news] SA-CONTRIB-2009-033 - Quiz - Cross site scripting

security-news at drupal.org security-news at drupal.org
Wed Jun 3 20:42:27 UTC 2009


  * Advisory ID: DRUPAL-SA-CONTRIB-2009-033
  * Project: Quiz (third-party module)
  * Version: 5.x, 6.x
  * Date: 2009-June-03
  * Security risk: Less critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

-------- DESCRIPTION  
---------------------------------------------------------

The Quiz module provides tools for authoring and administering quizzes
through Drupal. A quiz is given as a series of questions, with only one
question appearing per page. Scores are then stored in the database. The
module does not properly escape user-supplied data on some pages, allowing
malicious users to insert arbitrary HTML and script code into these pages. A
user who has access to create quizzes or quiz questions could attempt a cross
site scripting [1] (XSS) attack which may lead to the user gaining full
administrative access.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * All versions of Quiz for Drupal 5.x
  * Quiz 6.x-2.x prior to 6.x-2.2
  * Quiz 6.x-3.x prior to 6.x-3.0

Drupal core is not affected. If you do not use the contributed Quiz module,
there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

If you use Drupal 5.x, uninstall the Quiz module which has been marked
unmaintained for six months or upgrade to Quiz for Drupal 6.x. If you use
Drupal 6.x, install the latest version:
  * If you use Email Verification 6.x-2.x upgrade to Quiz 6.x-2.2 [2]
  * If you use Email Verification 6.x-3.x upgrade to Quiz 6.x-3.0 [3]

See also the Quiz [4] project page.
-------- REPORTED BY  
---------------------------------------------------------

Matt Butcher [5] and Stéphane Corlosquet [6] of the Drupal Security Team.
-------- FIXED BY  
------------------------------------------------------------

Matt Butcher [7], sivaji [8] and Stéphane Corlosquet [9] of the Drupal
Security Team.
-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/481270
[3] http://drupal.org/node/481274
[4] http://drupal.org/project/quiz
[5] http://drupal.org/user/201798
[6] http://drupal.org/user/52142
[7] http://drupal.org/user/201798
[8] http://drupal.org/user/328724
[9] http://drupal.org/user/52142



More information about the Security-news mailing list