[Security-news] SA-CONTRIB-2010-034 - Internationalization - Cross Site Scripting

security-news at drupal.org security-news at drupal.org
Wed Apr 7 22:10:35 UTC 2010 

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-034
  * Project: Internationalization (third-party module)
  * Version: 6.x
  * Date: 2010-April-7
  * Security risk: Moderately critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

-------- DESCRIPTION  
---------------------------------------------------------

The Internationalization module enables translation of user defined strings
using Drupal's locale interface. Some of these user defined strings have
Input formats associated with them and some of the strings used for
translating blocks were not properly filtered before display. Additionally
all strings translated using this module were not checked for potential
malicious HTML and script code as regular Drupal string translations are.
Both issues would allow a user with the 'translate interface' or the
'administer blocks' permissions to attempt a cross site scripting (XSS)
attack which may lead to the user gaining full administrative access.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Internationalization 6.x prior to 6.x-1.4

Drupal core is not affected. If you do not use the contributed
Internationalization module, there is nothing you need to do. Also if you are
not using Internationalization's 'String translation' (i18nstrings) module
you don't need to update.
-------- SOLUTION  
------------------------------------------------------------

Install the latest version:
  * If you use Internationalization module for Drupal 6.x, update to
    Internationalization 6.x-1.4 [1] and run the Drupal database update.

See also the Internationalization project page [2]
-------- REPORTED BY  
---------------------------------------------------------

  * Antonio Ospite [3]

-------- FIXED BY  
------------------------------------------------------------

  * Jose Reyero [4], the module maintainer.

-------- CONTACT  
-------------------------------------------------------------

The Security Team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact [5].

[1] http://drupal.org/node/764906
[2] http://drupal.org/project/i18n
[3] http://drupal.org/user/234884
[4] http://drupal.org/user/4299
[5] http://drupal.org/contact

More information about the Security-news mailing list