[IT-SecNots] [Security-news] SA-CONTRIB-2011-023 - Prepopulate - Multiple vulnerabilities

[security-news AT drupal.org]

  * Advisory ID: DRUPAL-SA-CONTRIB-2011-023
  * Project: Prepopulate (third-party module)
  * Version: 6.x
  * Date: 2011-June-08
  * Security risk: Moderately Critical
  * Exploitable from: Remote
  * Vulnerability: Multiple

-------- DESCRIPTION  
---------------------------------------------------------

The Prepopulate module enables pre-populating forms in Drupal using the
$_REQUEST vairable.

The module does not adequately validate user input leading to an cross-site
scripting (XSS) possibility in certain circumstances. Users privileged to use
forms with certain form fields can insert arbitrary HTML and script code into
the rendered form. Such a cross-site scripting attack may lead to the
malicious user gaining administrative access. Wikipedia has more information
about cross-site scripting [1] (XSS).

The module does not properly protect the forms against Cross-site Request
Forgeries (CSRF), allowing a malicious user to trick an authorized user into
submitting unintended values on a form. Wikipedia has more information about
cross-site request forgery [2].

-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Prepopulate module for Drupal 6.x versions prior to 6.x-2.2

Drupal core is not affected. If you do not use the contributed Prepopulate
[3] module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Install the latest version:
  * If you use the Prepopulate module for Drupal 6.x upgrade to Prepopulate
    6.x-2.2 [4]

-------- REPORTED BY  
---------------------------------------------------------

  * XSS by Ezra B. Gildesgame (ezra-g) [5]
  * CSRF by David Rothstein (David_Rothstein), of the Drupal security team [6]

-------- FIXED BY  
------------------------------------------------------------

  * XSS by Ezra B. Gildesgame (ezra-g) [7]
  * CSRF by Joshua Brauer (jbrauer), Module maintainer [8]

-------- CONTACT AND MORE INFORMATION  
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
form at http://drupal.org/contact. Learn more about the team and their
policies [9], writing secure code for Drupal [10], and secure configuration
[11] of your site.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://en.wikipedia.org/wiki/Cross-site_request_forgery
[3] http://drupal.org/project/prepopulate
[4] http://drupal.org/node/1182972
[5] https://drupal.org/user/69959
[6] http://drupal.org/user/124982
[7] https://drupal.org/user/69959
[8] http://drupal.org/user/12363
[9] http://drupal.org/security-team
[10] http://drupal.org/writing-secure-code
[11] http://drupal.org/security/secure-configuration

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news