- Advisory ID: DRUPAL-SA-CONTRIB-2011-023
- Project: Prepopulate (third-party module)
- Version: 6.x
- Date: 2011-June-08
- Security risk: Moderately Critical
- Exploitable from: Remote
- Vulnerability: Multiple
Description
The Prepopulate module enables pre-populating forms in Drupal using the $_REQUEST vairable.
The module does not adequately validate user input leading to an cross-site scripting (XSS) possibility in certain circumstances. Users privileged to use forms with certain form fields can insert arbitrary HTML and script code into the rendered form. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting (XSS).
The module does not properly protect the forms against Cross-site Request Forgeries (CSRF), allowing a malicious user to trick an authorized user into submitting unintended values on a form. Wikipedia has more information about cross-site request forgery.
Versions affected
- Prepopulate module for Drupal 6.x versions prior to 6.x-2.2
Drupal core is not affected. If you do not use the contributed Prepopulate module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Prepopulate module for Drupal 6.x upgrade to Prepopulate 6.x-2.2
Reported by
- XSS by Ezra B. Gildesgame (ezra-g)
- CSRF by David Rothstein (David_Rothstein), of the Drupal security team
Fixed by
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Learn more about the team and their policies, writing secure code for Drupal, and secure configuration of your site.
