- Advisory ID: DRUPAL-SA-CONTRIB-2011-008
- Project: Chatroom (third-party module)
- Version: 6.x
- Date: 2011-February-02
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting and Cross Site Request Forgery
Description
The Chatroom module provides real-time chat capabilities to Drupal.
Vulnerability: Cross Site Scripting
The module does not properly escape the contents of chat messages in pages listing the chats contained in a chatroom, leading to a Cross Site Scripting (XSS) vulnerability. Any user with permission to view chatroom summary pages is vulnerable to attack.
Vulnerability: Cross Site Request Forgery
The module does not properly check for valid form tokens, leading to a Cross Site Request Forgery(XSS) vulnerability. Users with administrative privileges are vulnerable to replay attacks.
Versions affected
- Chatroom module for Drupal 6.x versions prior to 6.x-2.13.
Drupal core is not affected. If you do not use the contributed Chatroom module, there is nothing you need to do.
Solution
Install the latest version:
- Upgrade to Chatroom 6.x-2.13
See also the Chatroom project page.
Reported by
- XSS reported by Steffen Schüssler
- CSRF reported by Greg Knaddison of the Drupal Security Team
Fixed by
- Justin Randell, module maintainer
Contact
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.