Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2010-053
- Project: External Link Page (third-party module)
- Version: 5.x, 6.x
- Date: 2010-May-19
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
The External Link Page provides a content filter that redirects external links to a customizable page. This page informs the user that
they are about to leave the site and then redirects them. The module does not sanitise data input in it's administration page before displaying it on redirect pages, allowing for a cross site scripting (XSS) attack that may lead to a malicious user gaining full administrative access.
Versions affected
- External Link Page prior to 5.x-1.0
- External Link Page prior to 6.x-1.2
Drupal core is not affected. If you do not use the contributed External Link Page module, there is nothing you need to do.
Solution
Install the latest version:
- If you use External Link Page for Drupal 5.x upgrade to External Link Page 5.x-1.0
- If you use External Link Page for Drupal 6.x upgrade to External Link Page 6.x-1.2
Reported by
- zzolo, the module maintainer
Fixed by
- zzolo, the module maintainer
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
