• Advisory ID: DRUPAL-SA-2007-016
  • Project: LoginToboggan (third-party module)
  • Version: 4.7.x-1.0, 4.7.x-1.x-dev, 5.x-1.x-dev
  • Date: 2007-07-12
  • Security risk: Not critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting


The LoginToboggan module provides several modifications of the Drupal login system. One of the features is a block that can be enabled on the site to display the currently logged in user with a "Log out" link. If a user is able to insert JavaScript into their username, they would be able execute a cross site scripting attack (XSS). This may lead to administrator access if certain conditions are met. However, Drupal core validates the username field to prevent any special characters, so it would be extremely difficult to exploit this potential vulnerability. Therefore, the security risk is considered "Not critical", since default configurations of Drupal are not vulnerable.

Additionally, in the 5.x-1.x-dev version compatible with 5.x Drupal core, a user with "administer blocks" permission could place JavaScript into the message displayed above the default user login block. This could lead to privilege escalation if certain conditions are met.

Learn more about XSS on Wikipedia.

Versions affected

  • LoginToboggan 4.7.x-1.0 or 4.7.x-1.x-dev prior to 2007-07-12
  • LoginToboggan 5.x-1.x-dev prior to 2007-07-12

Drupal core is not affected. If you do not use the contributed LoginToboggan module, there is nothing you need to do.


Install the latest version:

See also the LoginToboggan project page.

Disabling the "LoginToboggan logged in block" provides an immediate work-around to prevent anyone from being able to exploit these vulnerabilities remotely. The only solution for the 5.x-specific attack for users with administrator privileges is to upgrade to the official 5.x-1.0 release.

Reported by

Chad Phillips (hunmonk)


The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.