• Advisory ID: DRUPAL-SA-CONTRIB-2009-027
  • Project: Printer, e-mail and PDF versions (third-party module)
  • Versions: 5.x, 6.x
  • Date: 2009-May-13
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities

Description

When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.

Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the <meta http-equiv="Content-Type" /> tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This behaviour enables malicious users to insert and execute Javascript in the context of the website if site visitors are allowed to post content. Note, this vulnerability is identical to that fixed for Drupal core by DRUPAL-SA-CORE-2009-005

Such a cross site scripting (XSS) attack may lead to a malicious user gaining full administrative access.

Versions Affected

  • Versions of "Printer, e-mail and PDF versions" for Drupal 5.x prior to 5.x-4.7
  • Versions of "Printer, e-mail and PDF versions" for Drupal 6.x prior to 6.x-1.7

Drupal core is not affected. If you do not use the contributed "Printer, e-mail and PDF versions" module, there is nothing you need to do.

Solution

Install the latest version:

Reported by

Daniel F. Kudwien

Fixed by

João Ventura

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.