====================================================================

                                CERT-Renater

                      Note d'Information No. 2012/VULN167
____________________________________________________________________

DATE                : 29/03/2012

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S) : Systems running Contact Forms for DRUPAL
                        versions 6.x-1.x prior to 6.x-1.13.

======================================================================
http://drupal.org/node/1506404
______________________________________________________________________

SA-CONTRIB-2012-044 - Contact Forms - Cross Site Scripting
Posted by Drupal Security Team on March 28, 2012 at 1:21pm

    * Advisory ID: DRUPAL-SA-CONTRIB-2012-044
    * Project: Contact Forms (third-party module)
    * Version: 6.x
    * Date: 2012-March-28
    * Security risk: Moderately critical
    * Exploitable from: Remote
    * Vulnerability: Cross Site Scripting

Description

This module expands the features of the site wide contact form. It
eliminates the drop down category menu by generating a clean looking
contact form with a unique path, for each of the contact form categories.

The module doesn't sufficiently filter user text of the page title and
additional information, leading to a cross-site scripting (XSS)
vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a
role with the permission "administer site-wide contact form" and the core
contact form needs to be enabled.


Versions affected

    * Contact forms 6.x-1.x versions prior to 6.x-1.13.

Drupal core is not affected. If you do not use the contributed Contact
Forms module, there is nothing you need to do.


Solution

Install the latest version:

    * If you use the Contact Forms module for Drupal 6.x, upgrade to
6.x-1.13

Also see the Contact Forms project page.


Reported by

    * Ivo Van Geertruyen of the Drupal Security Team

Fixed by

    * Geoff Davies the module maintainer

Coordinated by

    * Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or
via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing
secure code for Drupal, and securing your site.


Categories: Drupal 6.x



======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================