Voting starts in March for the Drupal Association Board election.
- Advisory ID: DRUPAL-SA-CONTRIB-2009-065
- Project: Browscap (third-party module)
- Version: 5.x, 6.x
- Date: 2009-September-30
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
The Browscap module provides a way to identify the visitors to your site based on the user agent in their browser. It can also record these user agent strings and provide reports about them. When displaying reports about visitors, the module does not properly sanitize the user agent strings before display, leading to a cross-site scripting (XSS) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. Mitigating factors: this only impacts sites which use the "Monitor browsers" feature.
- Browscap versions 6.x prior to 6.x-1.1
- Browscap versions 5.x prior to 5.x-1.1
Drupal core is not affected. If you do not use the contributed Browscap module, there is nothing you need to do.
Install the latest version:
- If you use the Browscap for Drupal 6.x upgrade to Browscap 6.x-1.1
- If you use the Browscap for Drupal 5.x upgrade to Browscap 5.x-1.1
See also the Browscap module project page.
Greg Knaddison of the Drupal Security Team
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.