Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Heine on
- Advisory ID: DRUPAL-SA-2008-052
- Project: Link To Us (third-party module)
- Versions: 5.x
- Date: 2008-September-17
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
Description
The Link To Us module creates a page to display uploaded banners that can be used by others to link to your Drupal site. The module will create well formed SEO links with full title, alt and anchor text determined by the node title, taxonomy term or other pages that are directed to the module.
Unfortunately, the module does not properly escape text, which allows malicious users who are able to post content to insert arbitrary HTML and scripts into a page. Wikipedia has more information about such cross site scripting (XSS) attacks.
Versions Affected
- Versions of Link To Us for Drupal 5.x prior to 5.x-1.1
Note: the 6.x development version is also vulnerable to this issue. A fix for the issue will appear within 12 hours in the next 6.x development snapshot. Development snapshots are not supported.
Drupal core is not affected. If you do not use the Link To Us module, there is nothing you need to do.
Solution
Install the latest version.
- If you use Link To Us for Drupal 5.x upgrade to Link To Us 5.x-1.1
Also see the Link To Us project page.
Reported by
- Justin Klein Keane
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.
