------------PROJECT AND PROJECT ISSUE TRACKING XSS------------
* Advisory ID: DRUPAL-SA-2006-031.
* Project: Project and Project issue tracking (third party modules).
* Date: 2006-Dec-18.
* Security risk: Less critical.
* Exploitable from: Remote.
* Vulnerability: Cross site scripting.
------------DESCRIPTION------------
Several fields are not passed through check_plain() on display. A malicious user could use these fields to insert and execute XSS (Cross Site Scripting).
This may lead to administrator access if certain conditions are met.
Additionally, certain error messages are generated that include potentially malicious data without filtering.
Learn more about XSS on Wikipedia [
http://en.wikipedia.org/wiki/Cross_site_scripting].
Revoking the "access projects" permission provides an immediate workaround.
------------VERSIONS AFFECTED------------
* Project issue tracking 4.7.x-2.0
* Project issue tracking 4.7.x-1.0
* Project 4.7.x-2.0
* Project 4.7.x-1.0
* Project 4.6.x-1.0
* Project issue tracking 4.7.0 (from before the new release system)
* Project 4.7.0 (from before the new release system)
* Project 4.6.0 (from before the new release system)
Note that in 4.6.x, Project issue tracking is included as part of the Project module.
Drupal core is not affected. If you do not use the contributed Project and/or Project issue tracking modules, there is nothing you need to do.
------------SOLUTION------------
Install the latest versions:
* Project issue tracking 4.7.x-2.1 [
http://drupal.org/node/103953].
* Project issue tracking 4.7.x-1.1 [
http://drupal.org/node/103952].
* Project 4.7.x-2.1 [
http://drupal.org/node/103951].
* Project 4.7.x-1.1 [
http://drupal.org/node/103950].
* Project 4.6.x-1.1 [
http://drupal.org/node/103949].
If you are using a version of Project and/or Project issue tracking from before the new release system (4.7.0), upgrade to 4.7.x-1.1.
See also the Project [
http://drupal.org/project/project] and Project issue tracking [
http://drupal.org/project/project_issue] home pages.
------------REPORTED BY------------
Derek Wright (dww) from the Drupal security team.
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via the form at [
http://drupal.org/contact].