- Advisory ID: DRUPAL-PSA-2012-001
- Version: 6.x, 7.x
- Date: 2012-March-07
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
This is a public service announcement regarding possible cross-site scripting risks associated with interface localizations for Drupal. Drupal has cross-site scripting prevention filters in the interface localization import code in Drupal core, however, the extent to which localization can be used to inject markup to webpages is wider, and due to Drupal's localization architecture and code reuse, we cannot tell in advance where the localized text is going to be used and how we should sanitize the translated text. When translated text is used, developers do not expect that it might cause cross-site scripting issues and therefore do not use filtering techniques when the resulting text is assembled into the output.
You should be aware that Drupal's cross-site scripting prevention for interface localizations is not complete and therefore you should review the localizations imported to your site before importing them or ensure that they come from trusted sources. Even Drupal's central localization source, localize.drupal.org has configurable permission system for teams. Those teams where translations are moderated by a team of volunteers are less likely to contain any attack code.
Consequently we are adding translate interface to our list of advanced permissions in our Security advisories process and permissions policy document.
The issue also affect contributed modules like Localization update which automate localization import from localize.drupal.org and compatible servers or String overrides, which allows you to use the localization system to override English built-in text.
Multiple modules can be used to translate the interface text. Some of those are
Given that translations strings can be harmful, you should treat them with the same skepticism that you treat modules. Get them from reputable sources or review them prior to using them.
- The underlying issue was reported by Justin C. Klein Keane
This PSA drafted by:
- Gábor Hojtsy of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.