(Please note that the security team approved this as a public issue)

There is a Cross Site Scripting issue in Filter Tips (full listing) - coming from site name:

Reproduce:
Put

alert('xssname - site');

into Site name in configuration
Go to ?q=filter/tips

Result:
alert 'xssname - site'

Since you have to have "administer site configuration" permission to exploit this, there is really no attack vector - you already have elevated privileges.

This affects both 7.x and probably 6.x.

Just an issue now, patch later.

CommentFileSizeAuthor
#1 drupal.filter-tips-xss.1.patch1.82 KBsun
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

sun’s picture

sun
Primary language German
Location Karlsruhe
CreditAttribution: sun commented
Status: Active » Needs review
FileSize
drupal.filter-tips-xss.1.patch1.82 KB

Resolved.

sun’s picture

sun
Primary language German
Location Karlsruhe
CreditAttribution: sun commented
Issue tags: +Needs backport to D6, +Needs backport to D5
casey’s picture

casey CreditAttribution: casey commented
Status: Needs review » Reviewed & tested by the community

Patch is good and still applies.

Dries’s picture

Dries CreditAttribution: Dries commented
Status: Reviewed & tested by the community » Fixed

Committed to CVS.

Status: Fixed » Closed (fixed)
Issue tags: -Needs backport to D6, -Security improvements, -Needs backport to D5

Automatically closed -- issue fixed for 2 weeks with no activity.

Issue tags: +Needs backport to D6, +Security improvements, +Needs backport to D5

Restoring issue tags, see #2125755: System messages removed all issue tags during D7 upgrade.