[Security-news] DRUPAL-SA-CONTRIB-2009-073 - Printer, e-mail and PDF versions multiple vulnerabilities

security-news at drupal.org security-news at drupal.org
Wed Oct 14 23:27:35 UTC 2009


  * Advisory ID: DRUPAL-SA-CONTRIB-2009-073
  * Project: Printer, e-mail and PDF versions (third-party module)
  * Version: 5.x, 6.x
  * Date: 2009-October-14
  * Security risk: Less critical
  * Exploitable from: Remote
  * Vulnerability: Multiple vulnerabilities

-------- DESCRIPTION  
---------------------------------------------------------

The Printer, e-mail and PDF versions [1] ("print") module provides
printer-friendly versions of content. When displaying the list of links in a
page, the module does not properly escape this data, leading to a cross site
scripting [2] (XSS) vulnerability. In addition, the "Send by e-mail"
sub-module does not properly check for access permissions before displaying
the "Send to friend" form, and may display the page title for pages to which
the user does not have access (usually as they are unpublished or
unauthorized for his role), even though the user is not actually allowed to
send them by e-mail.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Printer, e-mail and PDF versions 6.x prior to 6.x-1.9
  * Printer, e-mail and PDF versions 5.x prior to 5.x-4.9

Drupal core is not affected. If you do not use the contributed Printer,
e-mail and PDF versions module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Install the latest version:
  * If you use Printer, e-mail and PDF versions for Drupal 6.x upgrade to
    Printer, e-mail and PDF versions 6.x-1.9 [3]
  * If you use Printer, e-mail and PDF versions for Drupal 5.x upgrade to
    Printer, e-mail and PDF versions 5.x-4.9 [4]

Or Alternatively: Disable the "Printer-friendly URLs list" in
'admin/settings/print/common' and disable the "Send by e-mail" ("print_mail")
module. See also the Printer, e-mail and PDF versions project page [5].
-------- REPORTED BY:  
--------------------------------------------------------

mcarbone [6]
-------- FIXED BY  
------------------------------------------------------------

jcnventura [7], the module maintainer
-------- CONTACT  
-------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
-------- DESCRIPTION  
---------------------------------------------------------

The Printer, e-mail and PDF versions [8] ("print") module provides
printer-friendly versions of content. When displaying the list of links in a
page, the module does not properly escape this data, leading to a cross site
scripting [9] (XSS) vulnerability. In addition, the "Send by e-mail"
sub-module does not properly check for access permissions before displaying
the "Send to friend" form, and may display the page title for pages to which
the user does not have access (usually as they are unpublished or
unauthorized for his role), even though the user is not actually allowed to
send them by e-mail.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Printer, e-mail and PDF versions 6.x prior to 6.x-1.9
  * Printer, e-mail and PDF versions 5.x prior to 5.x-4.9

Drupal core is not affected. If you do not use the contributed Printer,
e-mail and PDF versions module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Install the latest version:
  * If you use Printer, e-mail and PDF versions for Drupal 6.x upgrade to
    Printer, e-mail and PDF versions 6.x-1.9 [10]
  * If you use Printer, e-mail and PDF versions for Drupal 5.x upgrade to
    Printer, e-mail and PDF versions 5.x-4.9 [11]
Or Alternatively: Disable the "Printer-friendly URLs list" in
'admin/settings/print/common' and disable the "Send by e-mail" ("print_mail")
module. See also the Printer, e-mail and PDF versions project page [12].
-------- REPORTED BY:  
--------------------------------------------------------

mcarbone [13]
-------- FIXED BY  
------------------------------------------------------------

jcnventura [14], the module maintainer
-------- CONTACT  
-------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.


[1] http://drupal.org/project/print
[2] http://en.wikipedia.org/wiki/Cross-site_scripting
[3] http://drupal.org/node/604806
[4] http://drupal.org/node/604804
[5] http://drupal.org/project/print
[6] http://drupal.org/user/68488
[7] http://drupal.org/user/122464
[8]
[9] http://en.wikipedia.org/wiki/Cross-site_scripting
[10] http://drupal.org/node/604806
[11] http://drupal.org/node/604804
[12] http://drupal.org/project/print
[13] http://drupal.org/user/68488
[14] http://drupal.org/user/122464



More information about the Security-news mailing list