SA-CONTRIB-2014-086 - Custom BreadCrumbs - Cross Site Scripting (XSS)

[paul]

@Ed Would you check my choice of component; I was looking for maintenance? Should I assign this to me as I create the ticket?

View online: ​https://www.drupal.org/node/2336263

• Advisory ID: DRUPAL-SA-CONTRIB-2014-086
• Project: Custom Breadcrumbs [1] (third-party module)
• Version: 6.x, 7.x
• Date: 2014-September-10
• Security risk: 16/25 ( Critical)

AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]

• Vulnerability: Cross Site Scripting

---

---

Custom Breadcrumbs allows administrators to set up parametrized breadcrumb
trails for different content types, views, panels, taxonomy vocabularies and
terms, paths, and a simple API that allows contributed modules to enable
custom breadcrumbs for module pages and theme templates.

User input is not properly sanitized in all use cases, opening a Cross Site
Scripting (XSS) vulnerability.

The vulnerability is only present when the custom breadcrumb is configured
with the special identifier so that some of the breadcrumb items are
not links. Typical example is that the last breadcrumb element is showing the
current page title but is not a link. The XSS vulnerability is not triggered
if all items of the breadcrumb are links and special identifier is not
used.

---

---

• /A CVE identifier [3] will be requested, and added upon issuance, in

accordance
with Drupal Security Team processes./

---

---

• Custom Breadcrumbs 6.x-1.x versions prior to 6.x-1.6
• Custom Breadcrumbs 6.x-2.x versions are NOT affected
• Custom Breadcrumbs 7.x-2.x versions prior to 7.x-2.0-beta1

Drupal core is not affected. If you do not use the contributed Custom
Breadcrumbs [4] module,
there is nothing you need to do.

---

---

Install the latest version:

• If you use the Custom Breadcrumbs module version 1.x for Drupal 6.x,

upgrade to Custom Breadcrumbs 6.x-1.6 [5].

• If you use the Custom Breadcrumbs module version 2.x for Drupal 7.x,

upgrade to Custom Breadcrumbs 7.x-2.0-beta1 [6].

Also see the Custom Breadcrumbs [7] project page.

---

---

• Markus Sipilä [8]

---

---

• Markus Sipilä [9]
• Colan Schwartz [10] the module maintainer

---

---

• Greg Knaddison [11] of the Drupal Security Team

---

---

The Drupal security team can be reached at security at drupal.org or via the
contact form at ​https://www.drupal.org/contact [12].

Learn more about the Drupal Security team and their policies [13],
writing secure code for Drupal [14], and
securing your site [15].

[1] ​https://www.drupal.org/project/custom_breadcrumbs
[2] ​https://www.drupal.org/security-team/risk-levels
[3] ​http://cve.mitre.org/
[4] ​https://www.drupal.org/project/custom_breadcrumbs
[5] ​https://www.drupal.org/node/2335705
[6] ​https://www.drupal.org/node/2335721
[7] ​https://www.drupal.org/project/custom_breadcrumbs
[8] ​https://www.drupal.org/user/109674
[9] ​https://www.drupal.org/user/109674
[10] ​https://www.drupal.org/user/58704
[11] ​https://www.drupal.org/user/36762
[12] ​https://www.drupal.org/contact
[13] ​https://www.drupal.org/security-team
[14] ​https://www.drupal.org/writing-secure-code
[15] ​https://www.drupal.org/security/secure-configuration

_
Security-news mailing list
Security-news@…
Unsubscribe at ​https://lists.drupal.org/mailman/listinfo/security-news

[ed]

Thanks for asking Paul - component is correct - i've set 'milestone' to maintenance, owner to paul, 'type' to maintenance.

[paul]

Thanks Ed.

@Sam @Ed
Would you have a quick look over the stage site to confirm that nothing has changed with the breadcrumb trails.

I'll not rebuild the stage / production platforms to accommodate this security update (as before) to a contributed module. Instead I will manually switch the module on the production - as per the stage site - and update the profile on github. This should save us time as building platforms is slow on Aegir.

So, in future I'll only build new platforms, migrate, .. for core releases *but* for updates to contributed module - I'll simply switch in the new module & update the profile on github.

​https://booker-stage-20140717.transitionnetwork.org

[paul]

Sorry,

No update is required.

Custom Breadcrumbs 6.x-2.x versions are NOT affected

[paul]

If the breadcrumbs are working fine on stage; I'll leave the profile changes so that we later move to supported release for this module.

[ed]

Looks OK to me.

[paul]

Thanks Ed.

If we have any available cycles this month we could have a look at updating other contributed module to later releases, as newer releases have been known to include security fixes by stealth :(

[paul]

@Ed I think we can close this ticket.

Actually there are only a couple of modules that we could explore updating:

Context 6.x-2.1+3-dev to 6.x-3.2 (security update)
Views Datasource 6.x-1.0-beta2+5-dev to 6.x-1.0-beta2

For the first module there are some notes from JK: Need to manage change from 2.x branch to 3.x.

The reason there are not many version updates is because every time we build a new platform (for a new release of drupal) we automatically pull in the latest versions of contributed modules - unless a module is pinned to a specific version.

​https://booker-stage-20140717.transitionnetwork.org/admin/reports/updates

[ed]

close away paul - DIY - no need to wait for me :)

[paul]

I got the power ..