------------SA-2008-028 - INTERNATIONALIZATION AND LOCALIZER - CROSS SITE SCRIPTING------------
* Advisory ID: DRUPAL-SA-2008-028
* Project: Internationalization and Localizer (third-party modules)
* Versions: 5.x and 6.x
* Date: 2008-April-23
* Security risk: Less critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting
------------DESCRIPTION------------
The Internationalization (i18n) and Localizer modules add multi-lingual capabilities to Drupal sites. They provide control over a site's user interface language, the ability to enter and control content in multiple languages, and can detect the browser language.
Several values are displayed without being escaped, which enables users to inject arbitrary HTML and script code on pages. Wikipedia has more information about cross site scripting [
http://en.wikipedia.org/wiki/Xss ] (XSS).
This also fixes a minor Cross Site Request Forgery (CSRF) [
http://en.wikipedia.org/wiki/CSRF ] in the Internationalization module. The translation module handles content translations and creates translation sets of various nodes which are translations from one another. A CSRF attack may result in a node translation becoming unrelated from its corresponding translation set.
------------VERSIONS AFFECTED------------
* Internationalization (i18n) for Drupal 5.x before Internationalization 5.x-2.3 and 5.x-1.1
* Internationalization (i18n) for Drupal 6.x before Internationalization 6.x-1.0-beta1
* Localizer for Drupal 5.x before Localizer 5.x-3.4, 5.x-2.1 and 5.x-1.11
Drupal core is not affected. If you do not use the contributed modules Internationalization or Localizer, there is nothing you need to do.
------------SOLUTION------------
Install the latest version:
* If you currently use Internationalization 5.x-2.x upgrade to Internationalization 5.x-2.3 [
http://drupal.org/node/250370 ]
* If you currently use Internationalization 5.x-1.x upgrade to Internationalization 5.x-1.1 [
http://drupal.org/node/250371 ]
* If you currently use Internationalization 6.x-1.x upgrade to Internationalization 6.x-1.0-beta1 [
http://drupal.org/node/250367 ]
* If you currently use Localizer 5.x-3.x upgrade to Localizer 5.x-3.4 [
http://drupal.org/node/250379 ]
* If you currently use Localizer 5.x-2.x upgrade to Localizer 5.x-2.1 [
http://drupal.org/node/250378 ]
* If you currently use Localizer 5.x-1.x upgrade to Localizer 5.x-1.11 [
http://drupal.org/node/250377 ]
See also the Internationalization project page [
http://drupal.org/project/i18n ] and the Localizer project page [
http://drupal.org/project/localizer ].
------------REPORTED BY------------
Stéphane Corlosquet (scor [
http://drupal.org/user/52142 ]) of the Drupal security team.
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or via the form at [
http://drupal.org/contact ].