[Security-news] SA-CONTRIB-2009-034 - Taxonomy manager - Cross site scripting
security-news at drupal.org
security-news at drupal.org
Wed Jun 10 18:06:12 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-034
* Project: Taxonomy manager (third-party module)
* Version: 5.x, 6.x
* Date: 2009-June-10
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Taxonomy manager module provides additional tools for administering
taxonomy through Drupal. A vocabulary gets displayed in a dynamic tree view,
where parent terms can be expanded to list their nested child terms or can be
collapsed. The module does not properly escape some user-supplied data,
allowing malicious users to insert arbitrary HTML and script code into the
administrative pages provided by this module. A user who has the 'administer
taxonomy' permission, and (depending on configuration) a user able to add
taxonomy terms via free tagging, could attempt a cross site scripting [1]
(XSS) attack which may lead to the user gaining full administrative access.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Taxonomy manager 6.x prior to 6.x-1.1
* Taxonomy manager 5.x prior to 5.x-1.2
Drupal core is not affected. If you do not use the contributed Taxonomy
manager module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Taxonomy manager 6.x upgrade to Taxonomy manager 6.x-1.1 [2]
* If you use Taxonomy manager 5.x upgrade to Taxonomy manager 5.x-1.2 [3]
See also the Taxonomy manager [4] project page.
-------- REPORTED BY
---------------------------------------------------------
Justin Klein Keane (Justin_KleinKeane [5])
-------- FIXED BY
------------------------------------------------------------
Matthias Hutterer (mh86 [6] the maintainer) and Justin Klein Keane
(Justin_KleinKeane [7])
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/487602
[3] http://drupal.org/node/487620
[4] http://drupal.org/project/taxonomy_manager
[5] http://drupal.org/user/302225
[6] http://drupal.org/user/59747
[7] http://drupal.org/user/302225
More information about the Security-news
mailing list