- Advisory ID: DRUPAL-SA-CONTRIB-2009-012
- Project: Printer, e-mail and PDF versions (third-party module)
- Versions: 5.x, 6.x
- Date: 2009 March 18
- Security risk: Highly Critical
- Exploitable from: Remote
- Vulnerability: Unrestricted e-mailing (spam)
The "Send by e-mail" module, part of the "Printer, e-mail and PDF versions" project, allows users to send e-mail messages while viewing content on the site. This module was found to have multiple vulnerabilities.
Unrestricted e-mailing (spam)
Due to improper use of Drupal's flood control API, it is possible for spammers or spambots to send an unlimited numbers of e-mails using the "Send by e-mail" module.
This vulnerability is very similar to the recent vulnerability found in the Forward module and reported in SA-CONTRIB-2009-009. The security team has received reports of this vulnerability being actively exploited on production sites using the Forward module.
In addition, when sending out e-mails in HTML format, some content is not properly filtered, allowing malicious users to inject arbitrary HTML and script code into these e-mails.
Versions Affected
- Versions of "Printer, e-mail and PDF versions" 5.x prior to 5.x-4.4
- Versions of "Printer, e-mail and PDF versions" 6.x prior to 6.x-1.4
Drupal core is not affected. If you do not use the contributed "Printer, e-mail and PDF versions" module, there is nothing you need to do.
Solution
Install the latest version:
- If you use "Printer, e-mail and PDF versions" 5.x upgrade to Printer, e-mail and PDF versions 5.x-4.4
- If you use "Printer, e-mail and PDF versions" 6.x upgrade to Printer, e-mail and PDF versions 6.x-1.4
Reported by
João Ventura, the "Printer, e-mail and PDF versions" project maintainer
Fixed by
João Ventura, with assistance from James Gilliand and David Rothstein of the Drupal security team
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.