Drupal Link to Us 5.x-10 XSS Vulnerability
Drupal (http://drupal.org) is a robust content management system (CMS) that provides extensibility through hundreds of third party modules. While the security of Drupal core modules is vetted by a central security team, third party modules are not reviewed for security.
5.x-10 was tested and shown vulnerable.
Testing for Vulnerability
Depending on configuration, this vulnerability allows users with permissions to the Link to Us module to inject malicious content that could be displayed to web site users. Such content could include links to malware that could lead to possible system compromise.
The link_to_us.info page for vulnerable versions displays the following information:
; $Id: name = Link To Us Module description = Add Link to this site functionality. ; Information added by drupal.org packaging script on 2008-03-13 version = "5.x-1.0" project = "link_to_us" datestamp = "1205451908"
Determining version information on Drupal sites is trivial in many cases (ref http://www.madirish.net/?article=214).
Vendor initially contacted on July 2, 2008. Although a patch was created, according to the Drupal security team's policy (http://drupal.org/node/32750), they delay releases of patches or details until a fixed timeframe. Drupal security has said an announcement and patch should be forthcoming and available this Wednesday, September 17, 2008.