Ticket #785 (closed maintenance: fixed)
SA-CONTRIB-2014-086 - Custom BreadCrumbs - Cross Site Scripting (XSS)
Reported by: | paul | Owned by: | paul |
---|---|---|---|
Priority: | major | Milestone: | Maintenance |
Component: | Drupal modules & settings | Keywords: | |
Cc: | Estimated Number of Hours: | 0.0 | |
Add Hours to Ticket: | 0 | Billable?: | yes |
Total Hours: | 0.875 |
Description
@Ed Would you check my choice of component; I was looking for maintenance? Should I assign this to me as I create the ticket?
View online: https://www.drupal.org/node/2336263
- Advisory ID: DRUPAL-SA-CONTRIB-2014-086
- Project: Custom Breadcrumbs [1] (third-party module)
- Version: 6.x, 7.x
- Date: 2014-September-10
- Security risk: 16/25 ( Critical)
AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
- Vulnerability: Cross Site Scripting
Custom Breadcrumbs allows administrators to set up parametrized breadcrumb
trails for different content types, views, panels, taxonomy vocabularies and
terms, paths, and a simple API that allows contributed modules to enable
custom breadcrumbs for module pages and theme templates.
User input is not properly sanitized in all use cases, opening a Cross Site
Scripting (XSS) vulnerability.
The vulnerability is only present when the custom breadcrumb is configured
with the special identifier so that some of the breadcrumb items are
not links. Typical example is that the last breadcrumb element is showing the
current page title but is not a link. The XSS vulnerability is not triggered
if all items of the breadcrumb are links and special identifier is not
used.
- /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
- Custom Breadcrumbs 6.x-1.x versions prior to 6.x-1.6
- Custom Breadcrumbs 6.x-2.x versions are NOT affected
- Custom Breadcrumbs 7.x-2.x versions prior to 7.x-2.0-beta1
Drupal core is not affected. If you do not use the contributed Custom
Breadcrumbs [4] module,
there is nothing you need to do.
Install the latest version:
- If you use the Custom Breadcrumbs module version 1.x for Drupal 6.x,
upgrade to Custom Breadcrumbs 6.x-1.6 [5].
- If you use the Custom Breadcrumbs module version 2.x for Drupal 7.x,
upgrade to Custom Breadcrumbs 7.x-2.0-beta1 [6].
Also see the Custom Breadcrumbs [7] project page.
- Markus Sipilä [8]
- Greg Knaddison [11] of the Drupal Security Team
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13],
writing secure code for Drupal [14], and
securing your site [15].
[1] https://www.drupal.org/project/custom_breadcrumbs
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/custom_breadcrumbs
[5] https://www.drupal.org/node/2335705
[6] https://www.drupal.org/node/2335721
[7] https://www.drupal.org/project/custom_breadcrumbs
[8] https://www.drupal.org/user/109674
[9] https://www.drupal.org/user/109674
[10] https://www.drupal.org/user/58704
[11] https://www.drupal.org/user/36762
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
_
Security-news mailing list
Security-news@…
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
Change History
comment:1 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 0.0 to 0.25
comment:2 Changed 2 years ago by ed
- Owner changed from ed to paul
- Status changed from new to assigned
- Type changed from defect to maintenance
- Milestone set to Maintenance
Thanks for asking Paul - component is correct - i've set 'milestone' to maintenance, owner to paul, 'type' to maintenance.
comment:3 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 0.25 to 0.5
Thanks Ed.
@Sam @Ed
Would you have a quick look over the stage site to confirm that nothing has changed with the breadcrumb trails.
I'll not rebuild the stage / production platforms to accommodate this security update (as before) to a contributed module. Instead I will manually switch the module on the production - as per the stage site - and update the profile on github. This should save us time as building platforms is slow on Aegir.
So, in future I'll only build new platforms, migrate, .. for core releases *but* for updates to contributed module - I'll simply switch in the new module & update the profile on github.
comment:4 Changed 2 years ago by paul
Sorry,
No update is required.
Custom Breadcrumbs 6.x-2.x versions are NOT affected
comment:5 Changed 2 years ago by paul
If the breadcrumbs are working fine on stage; I'll leave the profile changes so that we later move to supported release for this module.
comment:7 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 0.5 to 0.625
Thanks Ed.
If we have any available cycles this month we could have a look at updating other contributed module to later releases, as newer releases have been know to include security fixes by stealth :(
comment:8 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 0.625 to 0.875
@Ed I think we can close this ticket.
Actually there are only a couple of modules that we could explore updating:
Context 6.x-2.1+3-dev to 6.x-3.2 (security update)
Views Datasource 6.x-1.0-beta2+5-dev to 6.x-1.0-beta2
For the first module there are some notes from JK: Need to manage change from 2.x branch to 3.x.
The reason there are not many version updates is because every time we build a new platform (for a new release of drupal) we automatically pull in the latest versions of contributed modules - unless a module is pinned to a specific version.
https://booker-stage-20140717.transitionnetwork.org/admin/reports/updates
comment:10 Changed 2 years ago by paul
- Status changed from assigned to closed
- Resolution set to fixed
I got the power ..