CVE-2011-1066

Vulnerability

The Messaging module for Drupal 6.x contains a cross-site scripting (XSS) vulnerability in versions 6.x-2.x prior to 6.x-2.4 and 6.x-4.x prior to 6.x-4.0-beta8 [1]. The module fails to sanitize certain user-supplied data before displaying it, allowing injection of arbitrary web script or HTML. The vulnerability is present in the module's handling of unspecified vectors and requires the attacker to have a role with the 'administer messaging' permission [1].

Exploitation

An attacker must possess a Drupal role that has been granted the 'administer messaging' permission, which is typically reserved for trusted users [1]. With this permission, the attacker can craft malicious input that, when processed and displayed by the module, executes arbitrary script in the context of another user's browser session. The exact vectors are not detailed in the available references, but the attack is performed remotely [1].

Impact

Successful exploitation allows the attacker to inject arbitrary web script or HTML, leading to cross-site scripting (XSS) attacks. This can result in session hijacking, defacement, or theft of sensitive data. The advisory notes that this may lead to a malicious user gaining full administrative access [1]. The impact is limited to users who view the affected content, but the attacker's initial privilege requirement mitigates widespread exploitation.

Mitigation

The vulnerability is fixed in Messaging 6.x-2.4 for the 6.x-2.x branch and Messaging 6.x-4.0-beta8 for the 6.x-4.x branch [1]. Users should upgrade to these versions immediately. No workarounds are provided in the advisory. Drupal core is not affected; only sites using the contributed Messaging module are vulnerable [1]. The fix was released on February 16, 2011, and the CVE was published on February 23, 2011.