[Full-disclosure] [Security-news] SA-CONTRIB-2012-039 - Language Icons - Cross Site Scripting (XSS)

* Advisory ID: DRUPAL-SA-CONTRIB-2012-039
* Project: Language icons [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2012-March-14
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting


The Language icons module adds icons to language links generated by the
Locale and Content Translation modules in core.
The module does not sanitize some of the user-supplied data before displaying
it, leading to a Cross Site Scripting (XSS [3]) vulnerability. This
vulnerability is mitigated by the fact that an attacker must have a role with
the permission "administer languages".


* Language icons 6.x-2.x versions prior to 6.x-2.1.
* Language icons 7.x-1.x versions prior to 7.x-1.0.

Drupal core is not affected. If you do not use the contributed Language icons
[4] module, there is nothing you need to do.

-------- SOLUTION

Install the latest version:

* If you use the Language icons module for Drupal 6.x, upgrade to Language
icons 6.x-2.1 [5]
* If you use the Language icons module for Drupal 7.x, upgrade to Language
icons 7.x-1.0 [6]

See also the Language icons [7] project page.

-------- REPORTED BY

* Jose Reyero [8] the original module author
* Frederik "Freso" S. Olesen [9] the current module maintainer

-------- FIXED BY

* Frederik "Freso" S. Olesen [10] the module maintainer


* Greg Knaddison [11] of the Drupal Security Team


The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].

Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].

[1] http://drupal.org/project/languageicons
[2] http://drupal.org/security-team/risk-levels
[3] http://en.wikipedia.org/wiki/Cross-site_scripting
[4] http://drupal.org/project/languageicons
[5] http://drupal.org/node/1482144
[6] http://drupal.org/node/1482136
[7] http://drupal.org/project/languageicons
[8] http://drupal.org/user/4299
[9] http://drupal.org/user/27504
[10] http://drupal.org/user/27504
[11] http://drupal.org/user/36762
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration

Security-news mailing list

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/