By Heine on
  • Advisory ID: DRUPAL-SA-2008-028
  • Project: Internationalization and Localizer (third-party modules)
  • Versions: 5.x and 6.x
  • Date: 2008-April-23
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting

Description

The Internationalization (i18n) and Localizer modules add multi-lingual capabilities to Drupal sites. They provide control over a site's user interface language, the ability to enter and control content in multiple languages, and can detect the browser language.

Several values are displayed without being escaped, which enables users to inject arbitrary HTML and script code on pages. Wikipedia has more information about cross site scripting (XSS).

This also fixes a minor Cross Site Request Forgery (CSRF) in the Internationalization module. The translation module handles content translations and creates translation sets of various nodes which are translations from one another. A CSRF attack may result in a node translation becoming unrelated from its corresponding translation set.

Versions affected

  • Internationalization (i18n) for Drupal 5.x before Internationalization 5.x-2.3 and 5.x-1.1
  • Internationalization (i18n) for Drupal 6.x before Internationalization 6.x-1.0-beta1
  • Localizer for Drupal 5.x before Localizer 5.x-3.4, 5.x-2.1 and 5.x-1.11

Drupal core is not affected. If you do not use the contributed modules Internationalization or Localizer, there is nothing you need to do.

Solution

Install the latest version:

See also the Internationalization project page and the Localizer project page.

Reported by

Stéphane Corlosquet (scor) of the Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.