Minor sidenotes for Tagadelic users, regarding SA-CONTRIB-2011-013

Tagadelic, Drupals tag-cloud module, was found with a security vulnerability. From the advisory:

The module does not sanitize some of the user-supplied data before displaying it on abovementioned cloud pages, leading to a Cross Site Scripting XSS vulnerability that may lead to a malicious user gaining full administrative access.

This vulnerability is mitigated by the fact that the attacker must have a role with the ‘administer taxonomy’ permission which should generally only be granted to trusted roles.

The fix simply escapes the description and the title before they are passed along.

This may cause problems to the people who “abused” this vulnerability. Admins who, for example, had embedded video, HTMl markup or javascript in the description of their tag cloud page, will no longer see this after upgrading.

For them, there is no simple solution, other then the strongly discouraged “solution” of not upgrading. I discourage this not only for security reasons, but also, because any future release will re-introduce this issue.

Taxonomy descriptions and titles were never meant to hold any markup in the first place, so if this upgrade hits people, they were abusing a Drupal-non-feature in the first place.

A better solution would be to place such markup in a block and embed that in the theme (in a region). That way you use the proper Drupal-tools for the proper job.

Also note that the unreleased Drupal 7 branch is not yet fixed.

This article was published on webschuur.com. And migrated to this blog.

in php41 drupal214 drupal214

About the author: Bèr Kessels is an experienced webdeveloper with a great passion for technology and Open Source. A golden combination to implement that technology in a good and efficient way. Follow @berkes on Mastodon. Or read more about Bèr.