• Advisory ID: DRUPAL-SA-CONTRIB-2011-039
  • Project: Bot Alarm (third-party module)
  • Version: 6.x
  • Date: 2011-August-31
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting, Cross Site Request Forgery

Description

This module enables you to set alarms for your IRC bot.

The module does not properly escape the message and channels of alarms in pages listing the alarms, leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission 'administer bot'.

The module does not check for any one-time-use tokens when deleting an alarm, leading to a Cross Site Request Forgery (CSRF ) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission 'administer bot'.

Versions affected

  • Bot Alarm 6.x-1.0

Drupal core is not affected. If you do not use the contributed Bot Alarm module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the bot_alarm module for Drupal 6.x, upgrade to 6.x-1.2

See also the Bot Alarm project page.

Reported by

Fixed by

Release coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.