[Security-news] SA-CONTRIB-2009-035 - Booktree - Cross site scripting
security-news at drupal.org
security-news at drupal.org
Wed Jun 10 18:09:22 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-035
* Project: Booktree (third-party module)
* Version: 5.x, 6.x
* Date: 2009-June-10
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Booktree takes as input a series of Book nodes and create a tree-like
structure using Book node relationships.The Booktree module does not properly
escape node title and node body on tree root pages. A user with privileges to
create book pages could attempt a cross site scripting [1] (XSS) attack which
may lead to the user gaining full administrative access.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Booktree for Drupal 5.x prior to Booktree 5.x-7.3
* Booktree for Drupal 6.x prior to Booktree 6.x-1.1
Drupal core is not affected. If you do not use the contributed Booktree
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Upgrade to the latest version:
* If you use Booktree for Drupal 5.x upgrade to Booktree 5.x-7.3 [2]
* If you use Booktree for Drupal 6.x upgrade to Booktree 6.x-1.1 [3]
See also the Booktree project page [4].
-------- REPORTED BY
---------------------------------------------------------
Stéphane Corlosquet [5] of the Drupal Security Team [6].
-------- FIXED BY
------------------------------------------------------------
Uccio [7].
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/487812
[3] http://drupal.org/node/487810
[4] http://drupal.org/project/booktree
[5] http://drupal.org/user/52142
[6] http://drupal.org/security-team
[7] http://drupal.org/user/32370
More information about the Security-news
mailing list