[Security-news] SA-CONTRIB-2012-169 - Email Field - Cross Site Scripting and Access bypass

security-news at drupal.org security-news at drupal.org
Wed Nov 28 20:39:46 UTC 2012


View online: http://drupal.org/node/1853214

  * Advisory ID: DRUPAL-SA-CONTRIB-2012-169
  * Project: Email Field [1] (third-party module)
  * Version: 6.x
  * Date: 2012-11-28
  * Security risk: Less critical [2]
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting, Access bypass

-------- DESCRIPTION  
---------------------------------------------------------

The email module provides a field type (CCK / FieldAPI) for storing email
addresses and a formatter to output the email address as a link to a contact
form. The contact form formatter allows a site visitor to email the stored
address without letting them see what that e-mail address
is.
.... Access bypass

The module didn't sufficiently check access for the contact form page,
allowing a site visitor to email the stored address on the entity without
having access to the field itself.
This vulnerability is mitigated by needing to to use a field permission
module (other than CCK's Content Permissions) with those email fields and
need to have the field contact field formatter configured for either full or
teaser display modes.

CVE: Requested

.... Cross Site Scripting

Furthermore the mailto link wasn't sanitized when output to the screen. This
vulnerability is mitigated by the fact that Drupal's form validation for
emails prevents malicious emails and would need to be bypassed to exploit
this vulnerability, e.g. by importing data from external sources and not
doing validation.

CVE: Requested

-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Email Field 6.x-1.x versions prior to 6.x-1.3.

Drupal core is not affected. If you do not use the contributed Email Field
[3] module, there is nothing you need to do.

-------- SOLUTION  
------------------------------------------------------------

Install the latest version:

  * If you use the Email Field module for Drupal 6.x, upgrade to Email 6.x-1.4
    [4]

Also see the Email Field [5] project page.

-------- REPORTED BY  
---------------------------------------------------------

  * Fox (hefox) [6]

-------- FIXED BY  
------------------------------------------------------------

  * Matthias Hutterer [7] the module maintainer

-------- COORDINATED BY  
------------------------------------------------------

  * Fox (hefox) [8] of the Drupal Security Team
  * Greg Knaddison [9] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION  
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].

Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].


[1] http://drupal.org/project/email
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/email
[4] http://drupal.org/node/1852612
[5] http://drupal.org/project/email
[6] http://drupal.org/user/426416
[7] http://drupal.org/user/59747
[8] http://drupal.org/user/426416
[9] http://drupal.org/user/36762
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration



More information about the Security-news mailing list