Drupal Ad Module 5.x-1.7 XSS Vulnerability

30 November -0001


The flaw exists within the ad_admin_group_form_submit() function (line 2796 of ad.module). The function saves group names and descriptions using the taxonomy_save_term() function which does not scrub HTML from the input, which allows a user with privileges to administer the ad module to insert arbitrary script on pages presented to other administrators.

5.x-1.6 dated 2007/07/16 was tested and shown vulnerable.

From the Drupal Security Announcement (http://drupal.org/node/372977):


 * Versions of Advertisement module for Drupal 5.x prior to 5.x-1.7.

 * Versions of Advertisement module for Drupal 6.x prior to 6.x-1.0-rc1.

Note that this vulnerability also affects the unsupported branches of code for 4.7 and 5.x-2.x.  The Advertisement module maintainer will update these at his discretion.  If you use those unsupported versions you should disable them until an updated release is available.

Drupal core is not affected. If you do not use the contributed Advertisement module, there is nothing you need to do.

---- SOLUTION ----

Install the latest version:

 * If you use Advertisement for Drupal 5.x upgrade to Advertisement 5.x-1.7 [ http://drupal.org/node/372995 ]

 * If you use Advertisement for Drupal 6.x upgrade to Advertisement 6.x-1.0-rc1 [ http://drupal.org/node/372997 ]

See also the Advertisement project page [ http://drupal.org/project/ad ].