You are here

T-657: Drupal Prepopulate - Multiple vulnerabilities

June 29, 2011 - 3:34pm

Addthis

PROBLEM:

Prepopulate module enables pre-populating forms in Drupal using the $_REQUEST vairable.

PLATFORM:

Prepopulate module for Drupal 6.x versions prior to 6.x-2.2

ABSTRACT:

The module does not adequately validate user input leading to an cross-site scripting (XSS) possibility in certain circumstances.

reference  LINKS:

Advisory ID: DRUPAL-SA-CONTRIB-2011-023
Prepopulate module
Prepopulate 6.x-2.2 Update

IMPACT ASSESSMENT:

High

Discussion:

The Prepopulate module enables pre-populating forms in Drupal using the $_REQUEST vairable.
The module does not adequately validate user input leading to an cross-site scripting (XSS) possibility in certain circumstances. Users privileged to use forms with certain form fields can insert arbitrary HTML and script code into the rendered form. Such a cross-site scripting attack may lead to the malicious user gaining administrative access.

Impact:

The module does not properly protect the forms against Cross-site Request Forgeries (CSRF), allowing a malicious user to trick an authorized user into submitting unintended values on a form.
Drupal core is not affected. If you do not use the contributed Prepopulate module, there is nothing you need to do.

Solution:

Prepopulate module for Drupal 6.x upgrade to Prepopulate 6.x-2.2

 

Addthis