• Advisory ID: DRUPAL-SA-2007-027
  • Project: Several Modules That Use Token module
  • Version: 5.x
  • Date: 2007-October-17
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting

Description

Several server variables are not escaped consistently. When a malicious user is able to enter comments and then entice a victim to visit a webpage, arbitrary HTML and script code can be injected and executed in the context of the victim's session on the targeted website.

For example, a malicious user with the 'post comments' or 'post comments without approval' permission would be able to inject arbitrary HTML and script code on the website. If the site uses the Token module to display that text in an HTML page on the site the malicious user can execute arbitrary HTML and script code on the website. Because the Token module provides a centralized API, several modules are impacted by this issue. The module may not be insecure on its own, but only when combined with another module or theme that uses it.

Other affected areas are vocabulary names, term names, and usernames.

Disabling the affected module provides an immediate workaround.

Wikipedia has more information about cross site scripting (XSS).

Versions affected

  • ASIN Field Module 5.x before version 5.x-1.4
  • e-Commerce Module 4.7.x-3.x before version 4.7.x-3.4
  • e-Commerce Module 5.x-3.x before version 5.x-3.4
  • e-Commerce Module 5.x-4.x-beta before version 5.x-4.0-alpha5
  • Fullname field for CCK Module 5.x before version 5.x-1.1
  • Invite Module 5.x-1.8+ before version 5.x-1.12
  • Node Relativity Module 5.x-2.1 before version 5.x-2.2
  • Pathauto Module 5.x-2.x before version 5.x-2.0-beta4
  • PayPal Node Module 5.x before version 5.x-1.1
  • Token Module 4.7.x before version 4.7.x-1.5
  • Token Module 5.x before version 5.x-1.9
  • Ubercart Module 5.x before version 5.x-1.0-alpha7e

Solution

Upgrade to the latest version of Token module, and if you are running an earlier version of a module listed above upgrade that as well:

  • If you are running Drupal 4.7.x then upgrade to Token 4.7.x-1.5.
  • If you are running Drupal 5.x then upgrade to Token 5.x-1.9.
  • If you are running any of the other modules from the list above upgrade to the version specified in the list.

Important note

If you are the author of a module which depends on the Token module please read the API.txt file included with the token module for important information about how to deal with raw tokens.

Reported by

Greg Knaddison (greggles) of the Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.