lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20120307215641.436FD1D0084@www1.drupal.org>
Date: Wed,  7 Mar 2012 21:56:41 +0000 (UTC)
From: security-news@...pal.org
To: security-news@...pal.org
Subject: [Security-news] DRUPAL-PSA-2012-001 -
	localizations - Cross Site	Scripting

  * Advisory ID: DRUPAL-PSA-2012-001
  * Version: 6.x, 7.x
  * Date: 2012-March-07
  * Security risk: Moderately critical [1]
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

-------- DESCRIPTION  
---------------------------------------------------------

This is a public service announcement regarding possible cross-site scripting
risks associated with interface localizations for Drupal. Drupal has
cross-site scripting prevention filters in the interface localization import
code in Drupal core, however, the extent to which localization can be used to
inject markup to webpages is wider, and due to Drupal's localization
architecture and code reuse, we cannot tell in advance where the localized
text is going to be used and how we should sanitize the translated text. When
translated text is used, developers do not expect that it might cause
cross-site scripting issues and therefore do not use filtering techniques
when the resulting text is assembled into the output.

You should be aware that Drupal's cross-site scripting prevention for
interface localizations is not complete and therefore you should review the
localizations imported to your site before importing them or ensure that they
come from trusted sources. Even Drupal's central localization source,
localize.drupal.org has configurable permission system for teams. Those teams
where translations are moderated by a team of volunteers are less likely to
contain any attack code.

Consequently we are adding /translate interface/ to our list of advanced
permissions in our Security advisories process and permissions policy [2]
document.

The issue also affect contributed modules like Localization update which
automate localization import from localize.drupal.org and compatible servers
or String overrides, which allows you to use the localization system to
override English built-in text.

-------- VERSIONS AFFECTED  
---------------------------------------------------

Multiple modules can be used to translate the interface text. Some of those
are

  * Locale module in Drupal core.
  * Localization update [3]
  * String overrides [4]

Drupal core is not affected. If you do not use the contributed
module, there is nothing you need to do.

-------- SOLUTION  
------------------------------------------------------------

Given that translations strings can be harmful, you should treat them with
the same skepticism that you treat modules. Get them from reputable sources
or review them prior to using them.

See also the
project page.

-------- REPORTED BY  
---------------------------------------------------------

  * The underlying issue was reported by Justin C. Klein Keane [5]

-------- FIXED BY  
------------------------------------------------------------

This PSA drafted by:

  * Gábor Hojtsy [6] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION  
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [7].

Learn more about the Drupal Security team and their policies [8], writing
secure code for Drupal [9], and securing your site [10].


[1] http://drupal.org/security-team/risk-levels
[2] http://drupal.org/security-advisory-policy
[3] http://drupal.org/project/l10n_update
[4] http://drupal.org/project/stringoverrides
[5] http://drupal.org/user/302225
[6] http://drupal.org/user/4166
[7] http://drupal.org/contact
[8] http://drupal.org/security-team
[9] http://drupal.org/writing-secure-code
[10] http://drupal.org/security/secure-configuration

_______________________________________________
Security-news mailing list
Security-news@...pal.org
http://lists.drupal.org/mailman/listinfo/security-news
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ