The javascript settings get included into the page without any filtering. This allows someone with permission to configure the module to inject malicious code, i.e. a cross-site-scripting attack.
I can think of 3 possible solutions:
1. filter the admin-added values to ensure they don't include malicious code
2. change the hook_permission to make 'restrict access' => TRUE for the administration permission
3. both?
I think solution #1 is the best.
This issue can be in the public queue instead of a private security.drupal.org issue because the Quantcast module doesn't have a stable release (see the policy https://www.drupal.org/security-advisory-policy on which releases get advisories).
Comment | File | Size | Author |
---|---|---|---|
#2 | quantcast-n2462487-2.patch | 575 bytes | DamienMcKenna |
Comments
Comment #1
coltraneEntering this as the "Quantcast P-Code" will demonstrate the XSS issue:
Patch uses check_plain() to mitigate.
Comment #2
DamienMcKennaThe code has changed a good bit, so here's a reroll.
Comment #3
DamienMcKennaBTW the patch also removes a redundant variable_get() from quantcast_page_build().
Comment #4
gregglesAny feedback from the maintainers about this issue?
Comment #6
gregglesNow fixed. Thanks for the reroll, DamienMcKenna!