Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The XSS vulnerability is described in full here:
http://lampsecurity.org/drupal-cck-xss-vulnerability
A user with 'administer content types' permissions may insert javascript into the Title and Body field labels, and these scripts will fire on the 'manage fields' admin page.
The patch attached below merely runs the output of those field labels through check_plain().
This patch is not against the latest development snapshot. It is intended specifically for CCK 6.x-2.2.
Comment | File | Size | Author |
---|---|---|---|
xss-label-fix.patch | 724 bytes | rickward |
Comments
Comment #1
drewish CreditAttribution: drewish commentedi think was found to be non-issue. if you give someone administrator access it shouldn't come as a surprise that you they can cause problems. See SA-2008-069 - CCK for 5.x and 6.x - XSS vulnerabilities
Comment #2
rickward CreditAttribution: rickward commentedYes, but our organization decided that it was best to minimize any potential vectors for attack, so we have implemented this (very simple) patch. That is why it is designed to be applied against the latest stable release rather than the latest development snapshot.
We have cases where certain users have a need for the content modeling tools provided by CCK, but they have no need for user management. These are trusted users, but they do not typically possess a systems administration background.
Comment #3
rickward CreditAttribution: rickward commentedalso (not to belabor the point): this issue is most certainly a bug, and, as such, should be addressed.
Comment #4
yched CreditAttribution: yched commentedAs drewish wrote, this is not considered a security hole - which good folks at lampsecurity.com probably acknowledge too, since they so kindly disclosed it... *shrug*
No reason not to fix this, however. Committed.
Comment #5
rickward CreditAttribution: rickward commentedmerci, yched!