[Security-news] SA-CONTRIB-2009-030 - Email Verification - Information disclosure / Cross Site Scripting
security-news at drupal.org
security-news at drupal.org
Wed May 20 20:17:16 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-030
* Project: Email Verification (third-party module)
* Version: 5.x, 6.x
* Date: 2009-May-20
* Security risk: High
* Exploitable from: Remote
* Vulnerability: Information disclosure, Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Email Verification module tries to verify user email addresses by talking
to the appropriate SMTP host. It also allows the administrator to access a
list of not confirmed email addresses. In the Drupal 5 version, this list is
only protected by the "access content" permission, hence allowing a wide
range of users to access these addresses. In the Drupal 6 version this list
is properly protected. In both versions the username and email addresses are
not properly escaped allowing Cross Site Scripting (XSS) attacks. To learn
more about Cross Site Scripting read this article [1].
-------- VERSIONS AFFECTED
---------------------------------------------------
* Email Verification 5.x-1.x prior to 5.x-2.1
* Email Verification 6.x-1.x prior to 6.x-1.2
Drupal core is not affected. If you do not use the contributed Email
Verification module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Email Verification 5.x-1.x upgrade to Email Verification
5.x-2.1 [2]
* If you use Email Verification 6.x-1.x upgrade to Email Verification
6.x-1.2 [3]
See also the Email Verification project page [4].
-------- REPORTED BY
---------------------------------------------------------
Gerhard Killesreiter (killes at www.drop.org) [5]
-------- FIXED BY
------------------------------------------------------------
Gerhard Killesreiter (killes at www.drop.org) [6] of the Drupal Security Team.
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/468432
[3] http://drupal.org/node/468436
[4] http://drupal.org/project/email_verify
[5] http://drupal.org/user/227
[6] http://drupal.org/user/227
More information about the Security-news
mailing list