It was reported that the Chaos tool suite (ctools) for Drupal suffered from a local file inclusion flaw and an XSS flaw [1]: The module doesn't sufficiently validate css import statements to confirm they only include css content appropriate to show to end users. This could allow a malicious user to add sensitive content from the site (e.g. settings.php) exposing that sensitive content to visitors of the page. It could also be used to execute a Cross Site Scripting attack. This vulnerability is party mitigated by the fact that an attacker must have a role with a permission to place custom CSS into a field. However, any user who can create or edit a node may have sufficient permissions to place the CSS depending on the site configuration. This is corrected in upstream 6.x-1.9 and 7.x-1.1 releases. Current Fedora and EPEL releases for drupal7-ctools have 1.1 in testing, drupal6-ctools needs to be updated to 1.9. [1] http://drupal.org/node/1719548
Created drupal6-ctools tracking bugs for this issue Affects: fedora-all [bug 848888] Affects: epel-all [bug 848889]
Fixed and submitted. Thanks Vincent!