- Advisory ID: DRUPAL-SA-CONTRIB-2009-030
- Project: Email Verification (third-party module)
- Version: 5.x, 6.x
- Date: 2009-May-20
- Security risk: High
- Exploitable from: Remote
- Vulnerability: Information disclosure, Cross Site Scripting
Description
The Email Verification module tries to verify user email addresses by talking to the appropriate SMTP host. It also allows the administrator to access a list of not confirmed email addresses. In the Drupal 5 version, this list is only protected by the "access content" permission, hence allowing a wide range of users to access these addresses. In the Drupal 6 version this list is properly protected.
In both versions the username and email addresses are not properly escaped allowing Cross Site Scripting (XSS) attacks. To learn more about Cross Site Scripting read this article.
Versions affected
- Email Verification 5.x-1.x prior to 5.x-2.1
- Email Verification 6.x-1.x prior to 6.x-1.2
Drupal core is not affected. If you do not use the contributed Email Verification module, there is nothing you need to do.
Solution
Install the latest version:
- If you use Email Verification 5.x-1.x upgrade to Email Verification 5.x-2.1
- If you use Email Verification 6.x-1.x upgrade to Email Verification 6.x-1.2
See also the Email Verification project page.
Reported by
Gerhard Killesreiter (killes@www.drop.org)
Fixed by
Gerhard Killesreiter (killes@www.drop.org) of the Drupal Security Team.
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
