[Security-news] SA-CONTRIB-2009-039 - Links Package - Cross Site Scripting
security-news at drupal.org
security-news at drupal.org
Thu Jun 25 15:51:47 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-039
* Project: Links Package (third-party module)
* Version: 5.x, 6.x
* Date: 2009-June-25
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Links Package is a multi-module set for managing URL links in a master
directory, and attaching them in various ways to your content pages. The
Links Related module of the Links Package does not properly escape user input
used as the title on certain pages. A user with privileges to create content
could attempt a cross site scripting [1] (XSS) attack which may lead to the
user gaining full administrative access.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Links Package for Drupal 5.x prior to Links Package 5.x-1.13
* Links Package for Drupal 6.x prior to Links Package 6.x-1.2
Drupal core is not affected. If you do not use the contributed Links Package,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Upgrade to the latest version:
* If you use Links Package for Drupal 5.x upgrade to Links Package 5.x-1.13
[2]
* If you use Links Packsge for Drupal 6.x upgrade to Links Package 6.x-1.2
[3]
See also the Links Package project page [4].
-------- REPORTED BY
---------------------------------------------------------
Stéphane Corlosquet [5] of the Drupal Security Team [6].
-------- FIXED BY
------------------------------------------------------------
Scott Courtney [7], the project maintainer.
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/501356
[3] http://drupal.org/node/501360
[4] http://drupal.org/project/links
[5] http://drupal.org/user/52142
[6] http://drupal.org/security-team
[7] http://drupal.org/user/9184
More information about the Security-news
mailing list