SA-CONTRIB-2013-023 - Varnish module - Cross Site Scripting (XSS)

This module provides integration between your Drupal site and the Varnish HTTP Accelerator, an advanced and very fast reverse-proxy system.

The module doesn’t sufficiently filter user-supplied text provided in the configuration settings.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “Administer Varnish”.

CVE identifier(s) issued

• CVE-2013-0325

Versions affected

• Varnish 6.x-1.x versions prior to 6.x-1.2.
• Varnish 7.x-1.x versions prior to 7.x-1.0-beta2.

Drupal core is not affected. If you do not use the contributed Varnish HTTP Accelerator Integration module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Varnish module for Drupal 6.x, upgrade to Varnish 6.x-1.2
• If you use the Varnish module for Drupal 7.x, upgrade to Varnish 7.x-1.0-beta2

Also see the Varnish HTTP Accelerator Integration project page.

Reported by

• Ivo Van Geertruyen of the Drupal Security Team

Fixed by

• Josh Koenig the module maintainer
• Fabian Sörqvist the module maintainer
• Ivo Van Geertruyen of the Drupal Security Team

Coordinated by

• Greg Knaddison of the Drupal Security Team
• Ben Jeavons of the Drupal Security Team