=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN179
_____________________________________________________________________

DATE                      : 27/05/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Scheduler for DRUPAL versions 5.x, 6.x
                              prior to 5.x-1-19, 6.x-1.7.

======================================================================
http://drupal.org/node/810220
______________________________________________________________________


SA-CONTRIB-2010-060 - Scheduler - Cross Site Scripting

Drupal Security Team - May 26, 2010 - 19:27

Description

Scheduler allows nodes to be published and unpublished on specified dates.

Scheduler does not sanitize titles for unpublished nodes on the scheduled
nodes overview list, leading to a Cross Site Scripting (XSS) vulnerability
that may lead to a malicious user gaining full administrative access.

The risk is mitigated by the fact that an attacker must succeed in a) creating a
node that is b) scheduled (requires "schedule (un)publishing of nodes" permission)
and c) unpublished.


Versions affected

    * Scheduler module for Drupal 5.x versions prior to 5.x-1-19
    * Scheduler module for Drupal 6.x versions prior to 6.x-1.7

Drupal core is not affected. If you do not use the contributed Scheduler module,
there is nothing you need to do.


Solution

Install the latest version:

    * If you use the Scheduler module for Drupal 5.x upgrade to Scheduler 5.x-1-19
    * If you use the Scheduler module for Drupal 6.x upgrade to Scheduler 6.x-1.7

See also the Scheduler project page.


Reported by

    * mr.baileys of the Drupal security team

Fixed by

    * Eric Schaefer, module maintainer

Contact

The Drupal security team can be reached at security at drupal.org or via the form
at http://drupal.org/contact.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================