[Security-news] SA-CONTRIB-2010-079 - Devel (Performance logging) - Cross Site Scripting

[security-news at drupal.org]

  * Advisory ID: SA-CONTRIB-2010-079
  * Project: Devel (third-party module)
  * Version: 5.x, 6.x
  * Date: 2010-Aug-04
  * Security risk: Moderately critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

-------- DESCRIPTION:  
--------------------------------------------------------

The devel project is a suite of modules for developers and themers. Within
the devel project, there is the performance logging module. The module does
not escape URLs comprised of node paths, leading to a Cross Site Scripting
(XSS) vulnerability. Users with the permission to access the reports that the
performance module produces are vulnerable to attack. A malicious user needs
the ability to add url aliases to create and exploit the vulnerability.
-------- VERSIONS AFFECTED:  
--------------------------------------------------

  * Devel module for Drupal 5.x versions prior to 5.x-1.3
  * Devel module for Drupal 6.x versions prior to 6.x-1.21

Drupal core is not affected. If you do not use the contributed performance
logging module, there is nothing you need to do.
-------- SOLUTION:  
-----------------------------------------------------------

Install the latest version:
  * For Drupal 5.x, upgrade to Devel 5.x-1.3 [1]
  * For Drupal 6.x, upgrade to Devel 6.x-1.21 [2]

See also the Devel [3] project page.
-------- REPORTED BY:  
--------------------------------------------------------

  * Justin James Grevich

-------- FIXED BY:  
-----------------------------------------------------------

  * Khalid Baheyeldin (kbahey [4]), the performance logging module maintainer

The Drupal security team can be reached at security at drupal.org or via the
form at http://drupal.org/contact.

[1] http://drupal.org/node/874130
[2] http://drupal.org/node/874116
[3] http://drupal.org/project/devel
[4] http://drupal.org/user/4063