• Advisory ID: DRUPAL-SA-2006-031.
  • Project: Project and Project issue tracking (third party modules).
  • Date: 2006-Dec-18.
  • Security risk: Less critical.
  • Exploitable from: Remote.
  • Vulnerability: Cross site scripting.

Description

Several fields are not passed through check_plain() on display. A malicious user could use these fields to insert and execute XSS (Cross Site Scripting). This may lead to administrator access if certain conditions are met. Additionally, certain error messages are generated that include potentially malicious data without filtering.
Learn more about XSS on Wikipedia.

Revoking the "access projects" permission provides an immediate workaround.

Versions affected

  • Project issue tracking 4.7.x-2.0
  • Project issue tracking 4.7.x-1.0
  • Project 4.7.x-2.0
  • Project 4.7.x-1.0
  • Project 4.6.x-1.0
  • Project issue tracking 4.7.0 (from before the new release system)
  • Project 4.7.0 (from before the new release system)
  • Project 4.6.0 (from before the new release system)

Note that in 4.6.x, Project issue tracking is included as part of the Project module.

Drupal core is not affected. If you do not use the contributed Project and/or Project issue tracking modules, there is nothing you need to do.

Solution

Install the latest versions:

If you are using a version of Project and/or Project issue tracking from before the new release system (4.7.0), upgrade to 4.7.x-1.1.

See also the Project and Project issue tracking home pages.

Reported by

Derek Wright (dww) from the Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.