• Advisory ID: DRUPAL-SA-CONTRIB-2011-008
  • Project: Chatroom (third-party module)
  • Version: 6.x
  • Date: 2011-February-02
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting and Cross Site Request Forgery

Description

The Chatroom module provides real-time chat capabilities to Drupal.

Vulnerability: Cross Site Scripting

The module does not properly escape the contents of chat messages in pages listing the chats contained in a chatroom, leading to a Cross Site Scripting (XSS) vulnerability. Any user with permission to view chatroom summary pages is vulnerable to attack.

Vulnerability: Cross Site Request Forgery

The module does not properly check for valid form tokens, leading to a Cross Site Request Forgery(XSS) vulnerability. Users with administrative privileges are vulnerable to replay attacks.

Versions affected

  • Chatroom module for Drupal 6.x versions prior to 6.x-2.13.

Drupal core is not affected. If you do not use the contributed Chatroom module, there is nothing you need to do.

Solution

Install the latest version:

See also the Chatroom project page.

Reported by

Fixed by

Contact

The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.