Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2010-058
- Project: Chaos tool suite (third-party module)
- Versions: 6.x
- Date: 2010 May 19
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities
The Chaos tool suite (ctools) is primarily a set of APIs and tools to improve the developer experience. This module was found to have multiple vulnerabilities.
Cross site scripting (XSS)
The module did not properly sanitize node titles under certain circumstances, resulting in multiple cross-site scripting vulnerabilities which could lead to a malicious user gaining full administrative access.
Cross-site request forgery
The module did not use the form API or tokens to protect certain administrative actions, allowing an attacker to trick an administrator into unintentionally enabling or disabling pages (cross-site request forgery).
Arbitrary PHP code execution
Users with the 'administer page manager' permission could execute arbitrary PHP code on the server via the import functionality. An additional check for the permission 'use PHP for block visibility' has been added to ensure that the site administrator has already granted users of the import functionality the permission to execute PHP.
Access bypass
Users with 'access content' permission were able to view the titles of unpublished nodes under certain circumstances.
Versions Affected
- Versions of "Chaos tool suite" for Drupal 6.x prior to 6.x-1.4
Drupal core is not affected. If you do not use the contributed "Chaos tool suite" module, there is nothing you need to do.
Solution
Install the latest version:
- If you use "Chaos tool suite" for Drupal 6.x upgrade to Chaos tool suite 6.x-1.4
Reported by
The cross-site scripting issue was reported by Martin Barbella.
The cross-site request forgery, arbitrary PHP code execution, and access bypass issues were reported by Justin Klein Keane.
Fixed by
The cross-site scripting issue was fixed by Earl Miles.
The cross-site request forgery, arbitrary PHP code execution, and access bypass issues were fixed by Sam Boyer.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
