Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2009-054
- Project: Go - url redirects (third-party module)
- Versions: 5.x, 6.x
- Date: 2009 August 26
- Security risk: Highly Critical
- Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities
Description
The Go - url redirects (gotwo) module adds the option to add redirected URLs. This module was found to have multiple vulnerabilities.
Arbitrary PHP code execution
Due to improper use of the PCRE regular expression engine, users with permission to use the input filter provided by the module are able to execute arbitrary PHP code on the server.
Cross-site scripting (XSS)
User-supplied text is displayed in several places without being properly filtered, allowing malicious users to inject arbitrary HTML and script code. Such a cross site scripting (XSS) attack may lead to a malicious user gaining full administrative access.
Access bypass and cross-site request forgery
Due to coding errors, users may be able to add redirects or reset redirect counters without having permission to do so.
Versions Affected
- Versions of "Go - url redirects" for Drupal 5.x prior to 5.x-1.4
- Versions of "Go - url redirects" for Drupal 6.x prior to 6.x-1.1
Drupal core is not affected. If you do not use the contributed "Go - url redirects" module, there is nothing you need to do.
Solution
Install the latest version:
- If you use "Go - url redirects" for Drupal 5.x upgrade to Go - url redirects 5.x-1.4
- If you use "Go - url redirects" for Drupal 6.x upgrade to Go - url redirects 6.x-1.1
See also the Go - url redirects project page.
Reported by
John Morahan of the Drupal security team
Alexander Hass, co-maintainer of the gotwo module
Fixed by
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
