• Advisory ID: DRUPAL-PSA-2012-001
  • Version: 6.x, 7.x
  • Date: 2012-March-07
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting

Description

This is a public service announcement regarding possible cross-site scripting risks associated with interface localizations for Drupal. Drupal has cross-site scripting prevention filters in the interface localization import code in Drupal core, however, the extent to which localization can be used to inject markup to webpages is wider, and due to Drupal's localization architecture and code reuse, we cannot tell in advance where the localized text is going to be used and how we should sanitize the translated text. When translated text is used, developers do not expect that it might cause cross-site scripting issues and therefore do not use filtering techniques when the resulting text is assembled into the output.

You should be aware that Drupal's cross-site scripting prevention for interface localizations is not complete and therefore you should review the localizations imported to your site before importing them or ensure that they come from trusted sources. Even Drupal's central localization source, localize.drupal.org has configurable permission system for teams. Those teams where translations are moderated by a team of volunteers are less likely to contain any attack code.

Consequently we are adding translate interface to our list of advanced permissions in our Security advisories process and permissions policy document.

The issue also affect contributed modules like Localization update which automate localization import from localize.drupal.org and compatible servers or String overrides, which allows you to use the localization system to override English built-in text.

Versions affected

Multiple modules can be used to translate the interface text. Some of those are

Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do.

Solution

Given that translations strings can be harmful, you should treat them with the same skepticism that you treat modules. Get them from reputable sources or review them prior to using them.

See also the project page.

Reported by

Fixed by

This PSA drafted by:

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.