Drupal Association members fund grants that make connections all over the world.
- Advisory ID: DRUPAL-SA-CONTRIB-2010-034
- Project: Internationalization (third-party module)
- Version: 6.x
- Date: 2010-April-7
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
The Internationalization module enables translation of user defined strings using Drupal's locale interface. Some of these user defined strings have Input formats associated with them and some of the strings used for translating blocks were not properly filtered before display.
Additionally all strings translated using this module were not checked for potential malicious HTML and script code as regular Drupal string translations are.
Both issues would allow a user with the 'translate interface' or the 'administer blocks' permissions to attempt a cross site scripting (XSS) attack which may lead to the user gaining full administrative access.
- Internationalization 6.x prior to 6.x-1.4
Drupal core is not affected. If you do not use the contributed Internationalization module, there is nothing you need to do. Also if you are not using Internationalization's 'String translation' (i18nstrings) module you don't need to update.
Install the latest version:
- If you use Internationalization module for Drupal 6.x, update to Internationalization 6.x-1.4 and run the Drupal database update.
See also the Internationalization project page
- Jose Reyero, the module maintainer.
The Security Team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.