Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Security scanners have reported a XSS vulnerability in the login link when html tags are included in the page url.
Browser request:
example.com/?<script>badscript</script>
Resulting login block link:
<a href="https://example.com/?<script>badscript</script>">Login</a>
The attached patch decodes the url, then passes it through Drupal's filter_xss function to remove any html tags present in the url. This has resolved the issue with our scanners.
As a side note, this may be more appropriate to patch in request_uri() since that function is failing to filter out malicious code.
| Comment | File | Size | Author |
|---|---|---|---|
| cosign.module.patch | 511 bytes | mdulzo | |
Comments
Comment #1
ksteinhoff CreditAttribution: ksteinhoff commentedMany thanks for the report and the patch!
Comment #2
ksteinhoff CreditAttribution: ksteinhoff commentedI'm not able to reproduce this in any browser I've tested (Firefox, Safari, Chrome and Opera on multiple platforms, and
IE6, 7, and 8), so I think it may be a false positive from the scanner. What scanner did you use for this test?
I'll apply the patch to the next release as a precaution.
Comment #3
mlhess CreditAttribution: mlhess commentedThis is not the correct location to report security issues.
Please see:
http://drupal.org/security-team