- Advisory ID: DRUPAL-SA-CONTRIB-2009-033
- Project: Quiz (third-party module)
- Version: 5.x, 6.x
- Date: 2009-June-03
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
The Quiz module provides tools for authoring and administering quizzes through Drupal. A quiz is given as a series of questions, with only one question appearing per page. Scores are then stored in the database. The module does not properly escape user-supplied data on some pages, allowing malicious users to insert arbitrary HTML and script code into these pages. A user who has access to create quizzes or quiz questions could attempt a cross site scripting (XSS) attack which may lead to the user gaining full administrative access.
Versions affected
- All versions of Quiz for Drupal 5.x
- Quiz 6.x-2.x prior to 6.x-2.2
- Quiz 6.x-3.x prior to 6.x-3.0
Drupal core is not affected. If you do not use the contributed Quiz module, there is nothing you need to do.
Solution
If you use Drupal 5.x, uninstall the Quiz module which has been marked unmaintained for six months or upgrade to Quiz for Drupal 6.x.
If you use Drupal 6.x, install the latest version:
- If you use Email Verification 6.x-2.x upgrade to Quiz 6.x-2.2
- If you use Email Verification 6.x-3.x upgrade to Quiz 6.x-3.0
See also the Quiz project page.
Reported by
Matt Butcher and Stéphane Corlosquet of the Drupal Security Team.
Fixed by
Matt Butcher, sivaji and Stéphane Corlosquet of the Drupal Security Team.
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.