[Security-news] SA-CONTRIB-2009-103 - Strongarm - Cross Site Scripting

Wed Nov 18 19:31:57 UTC 2009

  * Advisory ID: DRUPAL-SA-CONTRIB-2009-103
  * Project: Strongarm (third-party module)
  * Version: 6.x
  * Date: 2009 November 18
  * Security risk: Moderately Critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

-------- DESCRIPTION  
---------------------------------------------------------

The Strongarm module enables other modules to enforce variable settings
programmatically. It can also be used to override any of these variables, and
lets the administrator see which variables have been overridden, along with
their current values. When using the settings page to see overridden
variables, the value field is not sanitized before being displayed, leading
to a Cross Site Scripting (XSS [1]) vulnerability.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Strongarm module for Drupal 6.x prior to Strongarm 6.x-1.1 [2]

Drupal core is not affected. If you do not use the contributed Strongarm [3]
module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Upgrade to the latest version:
  * If you use Strongarm module for Drupal 6.x upgrade to version 6.x-1.1 [4]

-------- REPORTED BY  
---------------------------------------------------------

  * Reported by bengtan [5]

-------- FIXED BY  
------------------------------------------------------------

  * Fixed by jmiccolis [6], the module maintainer

-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/636474
[3] http://drupal.org/project/strongarm
[4] http://drupal.org/node/636474
[5] http://drupal.org/user/132729
[6] http://drupal.org/user/31731