- Advisory ID: DRUPAL-SA-CONTRIB-2010-069
- Project: Case Tracker (third-party module)
- Version: 5.x
- Date: 2010-June-23
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Multiple Vulnerabilities
Description
The Case Tracker module enables teams to track outstanding cases which need resolution by attaching a status, priority and type.
Cross Site Scripting (XSS)
The module does not sanitize some of the user-supplied data before displaying it, leading to a cross site scripting (XSS) vulnerability that may lead to a malicious user gaining full administrative access. This vulnerability is mitigated by the fact that an attacker must have the "administer casetracker" permission, which should generally only be granted to trusted roles.
Access Bypass
The module provides the "access case tracker" permission which is used to restrict access to reports and other functionality provided. However it was also used to restrict access to individual project and case nodes but only in some instances. This access check has been removed and instead users are encouraged to install a content access module to restrict access to these nodes.
Versions affected
- Case Tracker module for Drupal 5.x versions prior to 5.x-1.4
Drupal core is not affected. If you do not use the contributed Case Tracker module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Case Tracker module for Drupal 5.x upgrade to Case Tracker 5.x-1.4
As the "access case tracker" permission no longer controls access to project and case nodes, users are encouraged to install a content access module to restrict access to these nodes as necessary.
See also the Case Tracker project page.
Reported by
Fixed by
- Jeff Miccolis, module maintainer
- David Rothstein of the Drupal security team
Contact
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.