• Advisory ID: DRUPAL-SA-CONTRIB-2009-012
  • Project: Printer, e-mail and PDF versions (third-party module)
  • Versions: 5.x, 6.x
  • Date: 2009 March 18
  • Security risk: Highly Critical
  • Exploitable from: Remote
  • Vulnerability: Unrestricted e-mailing (spam)

The "Send by e-mail" module, part of the "Printer, e-mail and PDF versions" project, allows users to send e-mail messages while viewing content on the site. This module was found to have multiple vulnerabilities.

Unrestricted e-mailing (spam)

Due to improper use of Drupal's flood control API, it is possible for spammers or spambots to send an unlimited numbers of e-mails using the "Send by e-mail" module.

This vulnerability is very similar to the recent vulnerability found in the Forward module and reported in SA-CONTRIB-2009-009. The security team has received reports of this vulnerability being actively exploited on production sites using the Forward module.

In addition, when sending out e-mails in HTML format, some content is not properly filtered, allowing malicious users to inject arbitrary HTML and script code into these e-mails.

Versions Affected

  • Versions of "Printer, e-mail and PDF versions" 5.x prior to 5.x-4.4
  • Versions of "Printer, e-mail and PDF versions" 6.x prior to 6.x-1.4

Drupal core is not affected. If you do not use the contributed "Printer, e-mail and PDF versions" module, there is nothing you need to do.

Solution

Install the latest version:

Reported by

João Ventura, the "Printer, e-mail and PDF versions" project maintainer

Fixed by

João Ventura, with assistance from James Gilliand and David Rothstein of the Drupal security team

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.