------------SA-2008-10 - ARCHIVE - CROSS SITE SCRIPTING------------
* Advisory ID: DRUPAL-SA-2008-010
* Project: Archive (third-party module)
* Version: 5.x
* Date: 2008-January-23
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting
------------DESCRIPTION------------
The Archive module provides a replacement for the archive functionality that was present in Drupal 4.7.
Certain URL arguments are not escaped before display. It is therefore possible to inject arbitrary HTML and script code into certain archive pages, which may lead to administrator access if certain conditions are met. Learn more about cross site scripting on Wikipedia [
http://en.wikipedia.org/wiki/Cross_site_scripting ].
------------VERSIONS AFFECTED------------
* Archive for Drupal 5.x before Archive 5.x-1.8
Drupal core is not affected. If you do not use the contributed Archive module, there is nothing you need to do.
------------SOLUTION------------
Install the latest version:
* If you use Drupal 5.x upgrade to Archive 5.x-1.8 [
http://drupal.org/node/206175 ].
See also the Archive project page [
http://drupal.org/project/archive ].
------------REPORTED BY------------
Gábor Hojtsy [
http://drupal.org/user/4166 ]
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via the form at [
http://drupal.org/contact ].