Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By greggles on
- Advisory ID: DRUPAL-SA-CONTRIB-2009-007
- Project: Advertisement module (third-party module)
- Versions: 5.x, 6.x
- Date: 2009 February 11
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross-site scripting (XSS)
Description
The Advertisement module displays and tracks advertisements on Drupal websites. Unsanitized text is displayed in several places, allowing users with "administer advertisements" permissions to execute arbitrary code.
Users with "administer advertisements" permissions have the ability to configure the Advertisement module to ignore Drupal's standard input filters, allowing any user with "create advertisements" permissions the ability to execute arbitrary code.
Versions affected
- Versions of Advertisement module for Drupal 5.x prior to 5.x-1.7.
- Versions of Advertisement module for Drupal 6.x prior to 6.x-1.0-rc1.
Note that this vulnerability also affects the unsupported branches of code for 4.7 and 5.x-2.x. The Advertisement module maintainer will update these at his discretion. If you use those unsupported versions you should disable them until an updated release is available.
Drupal core is not affected. If you do not use the contributed Advertisement module, there is nothing you need to do.
Solution
Install the latest version:
- If you use Advertisement for Drupal 5.x upgrade to Advertisement 5.x-1.7
- If you use Advertisement for Drupal 6.x upgrade to Advertisement 6.x-1.0-rc1
See also the Advertisement project page.
Reported by
Justin C. Klein Keane.
Fixed by
Jeremy Andrews (Jeremy)
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
