- Advisory ID: DRUPAL-SA-CONTRIB-2009-027
- Project: Printer, e-mail and PDF versions (third-party module)
- Versions: 5.x, 6.x
- Date: 2009-May-13
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities
Description
When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.
Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the <meta http-equiv="Content-Type" /> tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This behaviour enables malicious users to insert and execute Javascript in the context of the website if site visitors are allowed to post content. Note, this vulnerability is identical to that fixed for Drupal core by DRUPAL-SA-CORE-2009-005
Such a cross site scripting (XSS) attack may lead to a malicious user gaining full administrative access.
Versions Affected
- Versions of "Printer, e-mail and PDF versions" for Drupal 5.x prior to 5.x-4.7
- Versions of "Printer, e-mail and PDF versions" for Drupal 6.x prior to 6.x-1.7
Drupal core is not affected. If you do not use the contributed "Printer, e-mail and PDF versions" module, there is nothing you need to do.
Solution
Install the latest version:
- If you use "Printer, e-mail and PDF versions" for Drupal 5.x upgrade to Printer, e-mail and PDF versions 5.x-4.7
- If you use "Printer, e-mail and PDF versions" for Drupal 6.x upgrade to Printer, e-mail and PDF versions 6.x-1.7
Reported by
Fixed by
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.