Red Hat Bugzilla – Bug 848886
drupal6-ctools: local file inclusion and XSS flaws (DRUPAL-SA-CONTRIB-2012-125)
Last modified: 2016-03-04 06:34:51 EST
It was reported that the Chaos tool suite (ctools) for Drupal suffered from a local file inclusion flaw and an XSS flaw :
The module doesn't sufficiently validate css import statements to confirm they only include css content appropriate to show to end users. This could allow a malicious user to add sensitive content from the site (e.g. settings.php) exposing that sensitive content to visitors of the page. It could also be used to execute a Cross Site Scripting attack.
This vulnerability is party mitigated by the fact that an attacker must have a role with a permission to place custom CSS into a field. However, any user who can create or edit a node may have sufficient permissions to place the CSS depending on the site configuration.
This is corrected in upstream 6.x-1.9 and 7.x-1.1 releases. Current Fedora and EPEL releases for drupal7-ctools have 1.1 in testing, drupal6-ctools needs to be updated to 1.9.
Created drupal6-ctools tracking bugs for this issue
Affects: fedora-all [bug 848888]
Affects: epel-all [bug 848889]
Fixed and submitted. Thanks Vincent!