- Advisory ID: SA-CONTRIB-2010-079
- Project: Devel (third-party module)
- Version: 5.x, 6.x
- Date: 2010-Aug-04
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description:
The devel project is a suite of modules for developers and themers.
Within the devel project, there is the performance logging module. The module does not escape URLs comprised of node paths, leading to a Cross Site Scripting (XSS) vulnerability. Users with the permission to access the reports that the performance module produces are vulnerable to attack. A malicious user needs the ability to add url aliases to create and exploit the vulnerability.
Versions affected:
- Devel module for Drupal 5.x versions prior to 5.x-1.3
- Devel module for Drupal 6.x versions prior to 6.x-1.21
Drupal core is not affected. If you do not use the contributed performance logging module, there is nothing you need to do.
Solution:
Install the latest version:
- For Drupal 5.x, upgrade to Devel 5.x-1.3
- For Drupal 6.x, upgrade to Devel 6.x-1.21
See also the Devel project page.
Reported by:
- Justin James Grevich
Fixed by:
- Khalid Baheyeldin (kbahey), the performance logging module maintainer
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.