[Security-news] SA-CONTRIB-2009-027 - Printer, e-mail and PDF versions - Cross-site scripting
security-news at drupal.org
security-news at drupal.org
Wed May 13 16:57:55 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-027
* Project: Printer, e-mail and PDF versions (third-party module)
* Versions: 5.x, 6.x
* Date: 2009-May-13
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
When outputting user-supplied data Drupal strips potentially dangerous HTML
attributes and tags or escapes characters which have a special meaning in
HTML. This output filtering secures the site against cross site scripting
attacks via user input. Certain byte sequences that are valid in the UTF-8
specification are potentially dangerous when interpreted as UTF-7. Internet
Explorer 6 and 7 may decode these characters as UTF-7 if they appear before
the <meta http-equiv="Content-Type" /> tag that specifies the page content as
UTF-8, despite the fact that Drupal also sends a real HTTP header specifying
the content as UTF-8. This behaviour enables malicious users to insert and
execute Javascript in the context of the website if site visitors are allowed
to post content. Note, this vulnerability is identical to that fixed for
Drupal core by DRUPAL-SA-CORE-2009-005 [1] Such a cross site scripting [2]
(XSS) attack may lead to a malicious user gaining full administrative access.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Versions of "Printer, e-mail and PDF versions" for Drupal 5.x prior to
5.x-4.7
* Versions of "Printer, e-mail and PDF versions" for Drupal 6.x prior to
6.x-1.7
Drupal core is not affected. If you do not use the contributed "Printer,
e-mail and PDF versions" module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use "Printer, e-mail and PDF versions" for Drupal 5.x upgrade to
Printer, e-mail and PDF versions 5.x-4.7 [3]
* If you use "Printer, e-mail and PDF versions" for Drupal 6.x upgrade to
Printer, e-mail and PDF versions 6.x-1.7 [4]
-------- REPORTED BY
---------------------------------------------------------
Daniel F. Kudwien [5]
-------- FIXED BY
------------------------------------------------------------
João Ventura [6]
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://drupal.org/node/449078
[2] http://en.wikipedia.org/wiki/Cross-site_scripting
[3] http://drupal.org/node/461634
[4] http://drupal.org/node/461642
[5] http://drupal.org/user/54136
[6] http://drupal.org/user/122464
More information about the Security-news
mailing list