=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN336
_____________________________________________________________________

DATE                      : 05/09/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running CCK for DRUPAL.

======================================================================
http://drupal.org/node/304093
______________________________________________________________________

SA-2008-048 - CCK - Cross site scripting

Heine - September 4, 2008 - 19:43

     * Advisory ID: DRUPAL-SA-2008-048
     * Project: CCK (third-party module)
     * Version: 5.x
     * Date: 2008-Sep-04
     * Security risk: Not critical
     * Exploitable from: Remote
     * Vulnerability: Cross site scripting

Description

The Content Construction Kit (CCK) allows certain privileged users to
add custom fields to content types using a web browser.

Some of the settings (field label, help text, allowed values) entered on
the fields settings forms are then displayed without appropriate
filtering. Malicious users with the "administer content" permission are
able to exploit this issue and insert arbitrary HTML and script code
into pages. Such a cross site scripting attack (XSS) may lead to the
malicious user gaining full administrative access.

This is only an issue if you need any role seperation between
administrators and users with the "administer content" permission.


Versions affected

     * CCK for Drupal 5.x prior to 5.x-1.8

Drupal core is not affected. The CCK RC releases for Drupal 6 are not
affected.

If you do not use the contributed CCK module on a Drupal 5 site, there
is nothing you need to do.


Solution

Install the latest version:

     * CCK 5.x-1.8 5.x-1.8 had two critical bugs
     * CCK 5.x-1.9 hotfix release - includes security fix and these
critical issue fixes.

See also the CCK project page.


Note

If your theme uses field templates, you will need to manually change the
function phptemplate_field (or possibly THEME_NAME_field) in your
theme's template.php:
change:
'label' => t($field['widget']['label']),
to:
'label' => check_plain(t($field['widget']['label']))
Reported by

     * The cross site scripting issue was reported by Peter Wolanin from
the Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org 
or via the form at http://drupal.org/contact.


======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================