[Security-news] SA-CONTRIB-2011-023 - Prepopulate - Multiple vulnerabilities
security-news at drupal.org
security-news at drupal.org
Wed Jun 8 22:39:28 UTC 2011
* Advisory ID: DRUPAL-SA-CONTRIB-2011-023
* Project: Prepopulate (third-party module)
* Version: 6.x
* Date: 2011-June-08
* Security risk: Moderately Critical
* Exploitable from: Remote
* Vulnerability: Multiple
-------- DESCRIPTION
---------------------------------------------------------
The Prepopulate module enables pre-populating forms in Drupal using the
$_REQUEST vairable.
The module does not adequately validate user input leading to an cross-site
scripting (XSS) possibility in certain circumstances. Users privileged to use
forms with certain form fields can insert arbitrary HTML and script code into
the rendered form. Such a cross-site scripting attack may lead to the
malicious user gaining administrative access. Wikipedia has more information
about cross-site scripting [1] (XSS).
The module does not properly protect the forms against Cross-site Request
Forgeries (CSRF), allowing a malicious user to trick an authorized user into
submitting unintended values on a form. Wikipedia has more information about
cross-site request forgery [2].
-------- VERSIONS AFFECTED
---------------------------------------------------
* Prepopulate module for Drupal 6.x versions prior to 6.x-2.2
Drupal core is not affected. If you do not use the contributed Prepopulate
[3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Prepopulate module for Drupal 6.x upgrade to Prepopulate
6.x-2.2 [4]
-------- REPORTED BY
---------------------------------------------------------
* XSS by Ezra B. Gildesgame (ezra-g) [5]
* CSRF by David Rothstein (David_Rothstein), of the Drupal security team [6]
-------- FIXED BY
------------------------------------------------------------
* XSS by Ezra B. Gildesgame (ezra-g) [7]
* CSRF by Joshua Brauer (jbrauer), Module maintainer [8]
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
form at http://drupal.org/contact. Learn more about the team and their
policies [9], writing secure code for Drupal [10], and secure configuration
[11] of your site.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://en.wikipedia.org/wiki/Cross-site_request_forgery
[3] http://drupal.org/project/prepopulate
[4] http://drupal.org/node/1182972
[5] https://drupal.org/user/69959
[6] http://drupal.org/user/124982
[7] https://drupal.org/user/69959
[8] http://drupal.org/user/12363
[9] http://drupal.org/security-team
[10] http://drupal.org/writing-secure-code
[11] http://drupal.org/security/secure-configuration
More information about the Security-news
mailing list