SA-CONTRIB-2012-169 - Email Field - Cross Site Scripting and Access bypass

The email module provides a field type (CCK / FieldAPI) for storing email addresses and a formatter to output the email address as a link to a contact form. The contact form formatter allows a site visitor to email the stored address without letting them see what that e-mail address
is.

Access bypass

The module didn’t sufficiently check access for the contact form page, allowing a site visitor to email the stored address on the entity without having access to the field itself.
This vulnerability is mitigated by needing to to use a field permission module (other than CCK’s Content Permissions) with those email fields and need to have the field contact field formatter configured for either full or teaser display modes.

CVE: Cross-site Scripting: CVE-2012-5587; Access Bypass: CVE-2012-5588

Cross Site Scripting

Furthermore the mailto link wasn’t sanitized when output to the screen. This vulnerability is mitigated by the fact that Drupal’s form validation for emails prevents malicious emails and would need to be bypassed to exploit this vulnerability, e.g. by importing data from external sources and not doing validation.

CVE: Requested

Versions affected

• Email Field 6.x-1.x versions prior to 6.x-1.3.

Drupal core is not affected. If you do not use the contributed Email Field module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Email Field module for Drupal 6.x, upgrade to Email 6.x-1.4

Also see the Email Field project page.

Reported by

• Fox (hefox)

Fixed by

• Matthias Hutterer the module maintainer

Coordinated by

• Fox (hefox) of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team