[Security-news] SA-CONTRIB-2010-053 - External Link Page - Cross Site Scripting (XSS)

security-news at drupal.org security-news at drupal.org
Wed May 19 22:39:35 UTC 2010


  * Advisory ID: DRUPAL-SA-CONTRIB-2010-053
  * Project: External Link Page (third-party module)
  * Version: 5.x, 6.x
  * Date: 2010-March-19
  * Security risk: Critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

.... Description

The External Link Page provides a content filter that redirects external
links to a customizable page. This page informs the user that they are about
to leave the site and then redirects them. The module does not sanitise data
input in it's administration page before displaying it on redirect pages,
allowing for a cross site scripting [1] (XSS) attack that may lead to a
malicious user gaining full administrative access.

.... Versions affected

  * External Link Page prior to 5.x-1.0
  * External Link Page prior to 6.x-1.2

Drupal core is not affected. If you do not use the contributed External Link
Page module, there is nothing you need to do.
.... Solution

Install the latest version:
  * If you use External Link Page for Drupal 5.x upgrade to External Link Page
    5.x-1.0 [2]
  * If you use External Link Page for Drupal 6.x upgrade to External Link Page
    6.x-1.2 [3]

.... Reported by

  * zzolo [4], the module maintainer

.... Fixed by

  * zzolo [5], the module maintainer

.... Contact

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/xxxx
[3] http://drupal.org/node/xxxx
[4] http://drupal.org/user/147331
[5] http://drupal.org/user/147331



More information about the Security-news mailing list