[IT-SecNots] [Security-news] SA-CONTRIB-2014-086 - Custom BreadCrumbs - Cross Site Scripting (XSS)

[security-news AT drupal.org]

View online: https://www.drupal.org/node/2336263

   * Advisory ID: DRUPAL-SA-CONTRIB-2014-086
   * Project: Custom Breadcrumbs [1]     (third-party module)
   * Version: 6.x, 7.x
   * Date: 2014-September-10
   * Security risk: 16/25 ( Critical)
     AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
   * Vulnerability: Cross Site Scripting

-------- DESCRIPTION
---------------------------------------------------------

Custom Breadcrumbs allows administrators to set up parametrized breadcrumb
trails for different content types, views, panels, taxonomy vocabularies and
terms, paths, and a simple API that allows contributed modules to enable
custom breadcrumbs for module pages and theme templates.

User input is not properly sanitized in all use cases, opening a Cross Site
Scripting (XSS) vulnerability.

The vulnerability is only present when the custom breadcrumb is configured
with the  special identifier so that some of the breadcrumb items are
not links. Typical example is that the last breadcrumb element is showing the
current page title but is not a link. The XSS vulnerability is not triggered
if all items of the breadcrumb are links and special identifier  is not
used.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [3] will be requested, and added upon issuance, in
     accordance
            with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

   * Custom Breadcrumbs  6.x-1.x versions prior to 6.x-1.6
   * Custom Breadcrumbs  6.x-2.x versions are NOT affected
   * Custom Breadcrumbs  7.x-2.x versions prior to 7.x-2.0-beta1

Drupal core is not affected. If you do not use the contributed Custom
Breadcrumbs [4] module,
       there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

   * If you use the Custom Breadcrumbs module version 1.x for Drupal 6.x,
     upgrade to Custom Breadcrumbs 6.x-1.6 [5].
   * If you use the Custom Breadcrumbs module version 2.x for Drupal 7.x,
     upgrade to Custom Breadcrumbs 7.x-2.0-beta1 [6].

Also see the Custom Breadcrumbs [7] project page.

-------- REPORTED BY
---------------------------------------------------------

   * Markus Sipilä [8]

-------- FIXED BY
------------------------------------------------------------

   * Markus Sipilä [9]
   * Colan Schwartz [10] the module maintainer

-------- COORDINATED BY
------------------------------------------------------

   * Greg Knaddison [11] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].

Learn more about the Drupal Security team and their policies [13],
       writing secure code for Drupal [14], and
       securing your site [15].


[1] https://www.drupal.org/project/custom_breadcrumbs
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/custom_breadcrumbs
[5] https://www.drupal.org/node/2335705
[6] https://www.drupal.org/node/2335721
[7] https://www.drupal.org/project/custom_breadcrumbs
[8] https://www.drupal.org/user/109674
[9] https://www.drupal.org/user/109674
[10] https://www.drupal.org/user/58704
[11] https://www.drupal.org/user/36762
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news