• Advisory ID: DRUPAL-SA-2008-048-b
  • Project: CCK (third-party module)
  • Version: 5.x
  • Date: 2008-Sep-04
  • Security risk: Not critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting

Update

This security announcement is an update of the SA-2008-048 announcement which advised to upgrade CCK for Drupal 5.x to 5.x-1.8. You should now upgrade CCK for Drupal 5.x to 5.x-1.9.

Description

The Content Construction Kit (CCK) allows certain privileged users to add custom fields to content types using a web browser.

Some of the settings (field label, help text, allowed values) entered on the fields settings forms are then displayed without appropriate filtering. Malicious users with the "administer content" permission are able to exploit this issue and insert arbitrary HTML and script code into pages. Such a cross site scripting attack (XSS) may lead to the malicious user gaining full administrative access.

This is only an issue if you need any role separation between administrators and users with the "administer content" permission.

Versions affected

  • CCK for Drupal 5.x prior to 5.x-1.9

Drupal core is not affected. The CCK RC releases for Drupal 6 are not affected.
If you do not use the contributed CCK module on a Drupal 5 site, there is nothing you need to do.

Solution

Install the latest version:

See also the CCK project page.

Note

If your theme uses field templates, you will need to manually change the function phptemplate_field (or possibly THEME_NAME_field) in your theme's template.php:
change:
'label' => t($field['widget']['label']),
to:
'label' => check_plain(t($field['widget']['label']))

Reported by

  • The cross site scripting issue was reported by Peter Wolanin from the Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.