Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Heine on
- Advisory ID: DRUPAL-SA-2008-049
- Project: Talk (third-party module)
- Version: 5.x, 6.x
- Date: 2008-September-17
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting, Node access bypass
Description
The Talk module for Drupal 5.x and 6.x creates a "Talk" tab for nodes in which the comments belonging to the node are displayed.
Two vulnerabilities and weaknesses were discovered in the contributed Talk module.
Cross site scripting
The node title is treated as if it was safe text, and is not escaped before being displayed. This allows users to insert arbitrary HTML and script code into the Talk pages. Wikipedia has more information about such cross site scripting (XSS) attacks.
Node access bypass
To view the comments of a normal node, you must view the node page itself, and thus you must always have access to view a node before you can view its comments. The Talk module bypassed this by displaying comments on a separate page and not confirming that a user has access to view the node before displaying the comments.
Versions affected
- Talk for Drupal 5.x before version 5.x-1.3
- Talk for Drupal 6.x before version 6.x-1.5
Drupal core is not affected. If you do not use the contributed Talk module, there is nothing you need to do.
Solution
Install the latest version:
- If you currently use Talk 5.x-1.x upgrade to Talk 5.x-1.3
- If you currently use Talk 6.x-1.x upgrade to Talk 6.x-1.5
See also the Talk project page.
Reported by
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
