It has been reported that the Echo module has a security vulnerability in that it allows an external hacker to craft a URL that causes the target site to display arbitrary data, without limitation.

Since receiving and responding to the original security team report, I have not heard from them in a long time, and I have since lost the original email and thus have no way to update the official report.

Therefore, I have fixed the issue on my own as follows:

  1. All $_REQUEST data is now sanitized by filter_xss().
  2. The echo_themed_page() function now stores a hash of its arguments in the cache. The _echo_access() function checks for the existence of this cache entry ensure that the request was indeed generated by echo_themed_page() and not by an external source.

This means that the Echo module now depends on a working cache implementation.

Comments

pillarsdotnet’s picture

pillarsdotnet commented
Title: placeholder » Data passed to the echo module should be sanitized and protected against external exploits.
Status: Active » Fixed
Fixed in:

6.x-1.7

7.x-1.7

8.x-1.7

pillarsdotnet’s picture

pillarsdotnet commented

Crosslink: https://security.drupal.org/node/61334

andros’s picture

andros commented

Hi, since i updated to version 7.x-1.7, my html newsletter won't work any more. what is the right way to configure my site to work with this version?
I use Simplenews with HTML Mail and a custom text-filter ( with Transliteration, Emogrifier and Pathologic) on a own theme for the HTML Mail output.

pillarsdotnet’s picture

pillarsdotnet commented

@andros -- please open up a new issue.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Anonymous’s picture

(not verified) commented
Issue summary: View changes

Replaced dummy content with real bug report