As per: https://security.drupal.org/node/80833

Hi,

Thank you for creating and maintaining feedback_reloaded. This module helped me much. Reading its code I found XSS vulnerability:

from feedback_reloaded.module lines 706-710:
$defaults = array(
'uid' => $user->uid,
'timestamp' => REQUEST_TIME,
'useragent' => $_SERVER['HTTP_USER_AGENT'],
);

It is possible to send arbitrary text as user agent. That text can contain or applets or iframes or object. This stuff will be living in the db and will be executed each time user sees feedback/[id] or admin/reports/feedback pages.
User agent should be sanitized either on input or on output time. I'd simply have 'useragent' => check_plain($_SERVER['HTTP_USER_AGENT']),

Best Regards
Constantine Parkhimovich

Thanks Constantine for reporting this!

Comments

alexweber’s picture

alexweber commented
Status: Active » Fixed

Fixed in cad5673.

New release to follow in a couple minutes.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.