[Security-news] SA-CONTRIB-2010-003 - Forward - Cross site scripting
security-news at drupal.org
security-news at drupal.org
Wed Jan 6 23:38:38 UTC 2010
* Advisory ID: DRUPAL-SA-CONTRIB-2010-003
* Project: Forward (third-party module)
* Version: 6.x
* Date: 2010-January-6
* Security risk: Moderately Critical
* Exploitable from: Remote
* Vulnerability: Multiple XSS vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
This module allows users to forward a link to a specific node on your site to
a friend. The Forward module does not properly sanitize user supplied data,
allowing users with the "access administration pages" and "administer
forward" permissions, or users with "access administration pages" and
"administer site configuration" permissions to inject scripts into Drupal
generated output, leading to a cross-site scripting (XSS [1]) vulnerability.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Forward version prior to 6.x-1.12
Drupal core is not affected. If you do not use the contributed Forward [2]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version: upgrade to Forward 6.x-1.12 [3]. See also the
Forward module project page [4].
-------- REPORTED BY
---------------------------------------------------------
mr.baileys [5]
-------- FIXED BY
------------------------------------------------------------
mr.baileys [6].
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/forward
[3] http://drupal.org/node/676494
[4] http://drupal.org/project/forward
[5] http://drupal.org/user/383424
[6] http://drupal.org/user/383424
More information about the Security-news
mailing list