Full Disclosure mailing list archives
[Security-news] DRUPAL-PSA-2012-001 - localizations - Cross Site Scripting
From: security-news () drupal org
Date: Wed, 7 Mar 2012 21:56:41 +0000 (UTC)
* Advisory ID: DRUPAL-PSA-2012-001 * Version: 6.x, 7.x * Date: 2012-March-07 * Security risk: Moderately critical [1] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This is a public service announcement regarding possible cross-site scripting risks associated with interface localizations for Drupal. Drupal has cross-site scripting prevention filters in the interface localization import code in Drupal core, however, the extent to which localization can be used to inject markup to webpages is wider, and due to Drupal's localization architecture and code reuse, we cannot tell in advance where the localized text is going to be used and how we should sanitize the translated text. When translated text is used, developers do not expect that it might cause cross-site scripting issues and therefore do not use filtering techniques when the resulting text is assembled into the output. You should be aware that Drupal's cross-site scripting prevention for interface localizations is not complete and therefore you should review the localizations imported to your site before importing them or ensure that they come from trusted sources. Even Drupal's central localization source, localize.drupal.org has configurable permission system for teams. Those teams where translations are moderated by a team of volunteers are less likely to contain any attack code. Consequently we are adding /translate interface/ to our list of advanced permissions in our Security advisories process and permissions policy [2] document. The issue also affect contributed modules like Localization update which automate localization import from localize.drupal.org and compatible servers or String overrides, which allows you to use the localization system to override English built-in text. -------- VERSIONS AFFECTED --------------------------------------------------- Multiple modules can be used to translate the interface text. Some of those are * Locale module in Drupal core. * Localization update [3] * String overrides [4] Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Given that translations strings can be harmful, you should treat them with the same skepticism that you treat modules. Get them from reputable sources or review them prior to using them. See also the project page. -------- REPORTED BY --------------------------------------------------------- * The underlying issue was reported by Justin C. Klein Keane [5] -------- FIXED BY ------------------------------------------------------------ This PSA drafted by: * Gábor Hojtsy [6] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. [1] http://drupal.org/security-team/risk-levels [2] http://drupal.org/security-advisory-policy [3] http://drupal.org/project/l10n_update [4] http://drupal.org/project/stringoverrides [5] http://drupal.org/user/302225 [6] http://drupal.org/user/4166 [7] http://drupal.org/contact [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration _______________________________________________ Security-news mailing list Security-news () drupal org http://lists.drupal.org/mailman/listinfo/security-news _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [Security-news] DRUPAL-PSA-2012-001 - localizations - Cross Site Scripting security-news (Mar 07)