Advanced Poll 6.x versions - XSS Vulnerability

During the weekend I discovered an XSS issue with the Advanced Poll module. I've made sure to provide a patch and submit this to the issue queue.

I have actually submitted a few other SAs in the past, one of them was for the nice_dash module, which aims to provide a dashboard interface for Drupal administrators, but unfortunately it wasn't yet commited.

 

Drupal Security Advistory - XSS vulnerability in Advanced Poll module versions 6.x-3.x and prior

Project: Advanced Poll (third-party module)

Version: 6.x-3.x and earlier

Date: 2013-10-25

Security risk: Highly critical

Exploitable from: Remote

Vulnerability: Cross Site Scripting 

This module enables you to create advanced types of polls, such as binary and ranking poll, as the module calls them. The module did not sufficiently filter poll question titles for malicious JavaScript. This vulnerability is mitigated by the fact that an attacker must have permission to create or edit polls.

Versions affected

Advanced Poll 6.x-3.x and all prior versions

Solution

Apply the patch

Reported by

Liran Tal <liran.tal@gmail.com>

Fixed by

Liran Tal  <liran.tal@gmail.com>

Comments

2

Drupal has a well established process for dealing with security issues, in fact on EVERY SINGLE ISSUE CREATION PAGE, e.g. the page you would have submitted that issue from (https://drupal.org/node/add/project-issue/advpoll) it says right there "Security issues should not be reported here. Instead, follow the procedure for reporting security issues." which links to https://drupal.org/node/101494.

Please follow these procedures and STOP REPORTING SECURITY VULNERABILITIES IN PUBLIC ISSUE QUEUES!

The security of every site that uses a module with a vulnerability is dependent upon these procedures being used, specifically that the security team work with the maintainers to fix the issue & create a new project release before publicizing the vulnerability, so that site maintainers then have a fix available as soon as the vulnerability is disclosed.

I think it would be good if you noted here why you posted it in public (module has no stable release and (I guess the main reason) seems to be pretty much unmaintained), and that that usually shouldn't be done. Otherwise, people not familiar with Drupal's security policy might learn this the wrong way.

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.