Drupal Award Module Award Title Field HTML Injection Vulnerability
BID:40118
Info
Drupal Award Module Award Title Field HTML Injection Vulnerability
| Bugtraq ID: | 40118 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | May 12 2010 12:00AM |
| Updated: | May 12 2010 12:00AM |
| Credit: | Martin Barbella |
| Vulnerable: |
Drupal Award 6.x-1.0 Drupal Award 5.x-1.1 |
| Not Vulnerable: |
Drupal Award 6.x-1.1 Drupal Award 5.x-1.2 |
Discussion
Drupal Award Module Award Title Field HTML Injection Vulnerability
The Award module for Drupal is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
To exploit this issue, the attacker must have permissions to create Award content.
Versions prior to Award 5.x-1.2 and 6.x-1.1 are vulnerable.
The Award module for Drupal is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
To exploit this issue, the attacker must have permissions to create Award content.
Versions prior to Award 5.x-1.2 and 6.x-1.1 are vulnerable.
Exploit / POC
Drupal Award Module Award Title Field HTML Injection Vulnerability
Attackers can use a browser to exploit this issue.
Attackers can use a browser to exploit this issue.
Solution / Fix
Drupal Award Module Award Title Field HTML Injection Vulnerability
Solution:
Updates are available. Please see the references for details.
Drupal Award 5.x-1.1
Drupal Award 6.x-1.0
Solution:
Updates are available. Please see the references for details.
Drupal Award 5.x-1.1
-
Drupal award-5.x-1.2.tar.gz
http://ftp.drupal.org/files/projects/award-5.x-1.2.tar.gz
Drupal Award 6.x-1.0
-
Drupal award-6.x-1.1.tar.gz
http://ftp.drupal.org/files/projects/award-6.x-1.1.tar.gz
References
Drupal Award Module Award Title Field HTML Injection Vulnerability
References:
References:
- Award Homepage (Drupal)
- Drupal Language Switcher Dropdown Homepage (Drupal)
- SA-CONTRIB-2010-046: Award - Cross Site Scripting (Drupal)