Drupal Association members fund grants that make connections all over the world.
- Advisory ID: DRUPAL-SA-CONTRIB-2009-073
- Project: Printer, e-mail and PDF versions (third-party module)
- Version: 5.x, 6.x
- Date: 2009-October-14
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities
The Printer, e-mail and PDF versions ("print") module provides printer-friendly versions of content. When displaying the list of links in a page, the module does not properly escape this data, leading to a cross site scripting (XSS) vulnerability.
In addition, the "Send by e-mail" sub-module does not properly check for access permissions before displaying the "Send to friend" form, and may display the page title for pages to which the user does not have access (usually as they are unpublished or unauthorized for his role), even though the user is not actually allowed to send them by e-mail.
- Printer, e-mail and PDF versions 6.x prior to 6.x-1.9
- Printer, e-mail and PDF versions 5.x prior to 5.x-4.9
Drupal core is not affected. If you do not use the contributed Printer, e-mail and PDF versions module, there is nothing you need to do.
Install the latest version:
- If you use Printer, e-mail and PDF versions for Drupal 6.x upgrade to Printer, e-mail and PDF versions 6.x-1.9
- If you use Printer, e-mail and PDF versions for Drupal 5.x upgrade to Printer, e-mail and PDF versions 5.x-4.9
Disable the "Printer-friendly URLs list" in 'admin/settings/print/common' and disable the "Send by e-mail" ("print_mail") module.
See also the Printer, e-mail and PDF versions project page.
jcnventura, the module maintainer
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.