[Security-news] SA-CONTRIB-2009-063 - XML sitemap - Cross Site Scripting

security-news at drupal.org security-news at drupal.org
Wed Sep 30 14:29:39 UTC 2009 

  * Advisory ID: DRUPAL-SA-CONTRIB-2009-063
  * Project: XML sitemap (third-party module)
  * Version: 5.x
  * Date: 2009-September-30
  * Security risk: Less critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

-------- DESCRIPTION  
---------------------------------------------------------

The XML sitemap module creates a sitemap that conforms to the sitemaps.org
specification. It also allows users with the 'administer site configuration'
permission to add additional custom links to be included in the sitemap. In
the additional links interface, the module does not properly sanitize the
output of the link paths before display, leading to a cross-site scripting
(XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining
full administrative access.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * XML sitemap versions 5.x prior to 5.x-1.7

Drupal core is not affected. If you do not use the contributed XML sitemap
module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Install the latest version:
  * If you use the XML sitemap for Drupal 5.x upgrade to XML sitemap 5.x-1.7
    [2]

See also the XML sitemap module project page [3].
-------- IMPORTANT NOTES  
-----------------------------------------------------

This vulnerability was publicly disclosed. If you find a security
vulnerability, please contact the Security team rather than posting a public
issue. If you are a module maintainer, do not commit any security-related
code fixes unless you have coordinated with the Security team.
-------- REPORTED BY  
---------------------------------------------------------

This vulnerability was publicly disclosed.
-------- FIXED BY  
------------------------------------------------------------

Dave Reid [4] of the Drupal Security Team and module co-maintainer.
-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/591732
[3] http://drupal.org/project/xmlsitemap
[4] http://drupal.org/user/53892

More information about the Security-news mailing list