[Security-news] DRUPAL-PSA-2012-001 - localizations - Cross Site Scripting
security-news at drupal.org
security-news at drupal.org
Wed Mar 7 21:56:41 UTC 2012
* Advisory ID: DRUPAL-PSA-2012-001
* Version: 6.x, 7.x
* Date: 2012-March-07
* Security risk: Moderately critical [1]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This is a public service announcement regarding possible cross-site scripting
risks associated with interface localizations for Drupal. Drupal has
cross-site scripting prevention filters in the interface localization import
code in Drupal core, however, the extent to which localization can be used to
inject markup to webpages is wider, and due to Drupal's localization
architecture and code reuse, we cannot tell in advance where the localized
text is going to be used and how we should sanitize the translated text. When
translated text is used, developers do not expect that it might cause
cross-site scripting issues and therefore do not use filtering techniques
when the resulting text is assembled into the output.
You should be aware that Drupal's cross-site scripting prevention for
interface localizations is not complete and therefore you should review the
localizations imported to your site before importing them or ensure that they
come from trusted sources. Even Drupal's central localization source,
localize.drupal.org has configurable permission system for teams. Those teams
where translations are moderated by a team of volunteers are less likely to
contain any attack code.
Consequently we are adding /translate interface/ to our list of advanced
permissions in our Security advisories process and permissions policy [2]
document.
The issue also affect contributed modules like Localization update which
automate localization import from localize.drupal.org and compatible servers
or String overrides, which allows you to use the localization system to
override English built-in text.
-------- VERSIONS AFFECTED
---------------------------------------------------
Multiple modules can be used to translate the interface text. Some of those
are
* Locale module in Drupal core.
* Localization update [3]
* String overrides [4]
Drupal core is not affected. If you do not use the contributed
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Given that translations strings can be harmful, you should treat them with
the same skepticism that you treat modules. Get them from reputable sources
or review them prior to using them.
See also the
project page.
-------- REPORTED BY
---------------------------------------------------------
* The underlying issue was reported by Justin C. Klein Keane [5]
-------- FIXED BY
------------------------------------------------------------
This PSA drafted by:
* Gábor Hojtsy [6] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [7].
Learn more about the Drupal Security team and their policies [8], writing
secure code for Drupal [9], and securing your site [10].
[1] http://drupal.org/security-team/risk-levels
[2] http://drupal.org/security-advisory-policy
[3] http://drupal.org/project/l10n_update
[4] http://drupal.org/project/stringoverrides
[5] http://drupal.org/user/302225
[6] http://drupal.org/user/4166
[7] http://drupal.org/contact
[8] http://drupal.org/security-team
[9] http://drupal.org/writing-secure-code
[10] http://drupal.org/security/secure-configuration
More information about the Security-news
mailing list