=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2007/VULN378
_____________________________________________________________________

DATE                      : 04/10/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Project issue tracking
                                          module for DRUPAL.

======================================================================

- ------------SA-2007-021: PROJECT ISSUE TRACKING - XSS VULNERABILITIES IN
SUBSCRIPTION FORMS.------------

   * Advisory ID: DRUPAL-SA-2007-021.

   * Project: Project issue tracking (third-party module)

   * Version: 4.7.x-1.x, 4.7.x-2.x, 5.x-1.x

   * Date: 2007-Sep-27

   * Security risk: Moderately critical

   * Exploitable from: Remote

   * Vulnerability: Cross-site scripting (XSS)

- ------------DESCRIPTION------------

The Project issue tracking [ http://drupal.org/project/project_issue ] 
module
provides a subscription functionality enabling users to sign up for e-mail
notification of issue updates.  The subscriptions can be edited on both an
individual or overview form.  Users who have permissions to create or edit
projects may be able to inject arbitrary code on these form pages.

Wikipedia has more information about cross site scripting [
http://en.wikipedia.org/wiki/Cross-site_scripting ] (XSS).

- ------------VERSIONS AFFECTED------------

   * 5.x-1.x:

   * Project issue tracking before version 5.x-1.1

   * 4.7.x-2.x:

   * Project issue tracking before version 4.7.x-2.5

   * 4.7.x-1.x:

   * Project issue tracking before version 4.7.x-1.5

Drupal core is not affected. If you do not use the contributed Project issue
tracking module, there is nothing you need to do.

- ------------SOLUTION------------

Install the latest version:

   * 5.x-1.x:

   * Project issue tracking 5.x-1.1 [ http://drupal.org/node/178976 ]

   * 4.7.x-2.x:

   * Project issue tracking 4.7.x-2.5 [ http://drupal.org/node/178979 ]

   * 4.7.x-1.x:

   * Project issue tracking 4.7.x-1.5 [ http://drupal.org/node/178981 ]

As a temporary solution, site administrators can disable (for untrusted 
users)
all permissions that allow creating or editing of projects.

- ------------REPORTED BY------------

Chad Phillips (hunmonk [ http://drupal.org/user/22079 ]) of the Drupal 
security
team.

- ------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org 
or via
the form at [ http://drupal.org/contact ].

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================