Security Vulnerability SA-CONTRIB-2009-046 - Date - Cross Site Scripting

  • strict warning: Non-static method view::load() should not be called statically in /home/prosepoint.org/bzr/public_html/profiles/prosepoint/modules/views/views.module on line 879.
  • strict warning: Declaration of views_handler_argument::init() should be compatible with views_handler::init(&$view, $options) in /home/prosepoint.org/bzr/public_html/profiles/prosepoint/modules/views/handlers/views_handler_argument.inc on line 0.
  • strict warning: Declaration of views_handler_filter::options_validate() should be compatible with views_handler::options_validate($form, &$form_state) in /home/prosepoint.org/bzr/public_html/profiles/prosepoint/modules/views/handlers/views_handler_filter.inc on line 0.
  • strict warning: Declaration of views_handler_filter::options_submit() should be compatible with views_handler::options_submit($form, &$form_state) in /home/prosepoint.org/bzr/public_html/profiles/prosepoint/modules/views/handlers/views_handler_filter.inc on line 0.
  • strict warning: Declaration of views_handler_filter_node_status::operator_form() should be compatible with views_handler_filter::operator_form(&$form, &$form_state) in /home/prosepoint.org/bzr/public_html/profiles/prosepoint/modules/views/modules/node/views_handler_filter_node_status.inc on line 0.
  • strict warning: Non-static method view::load() should not be called statically in /home/prosepoint.org/bzr/public_html/profiles/prosepoint/modules/views/views.module on line 879.
  • strict warning: Declaration of views_handler_filter_boolean_operator::value_validate() should be compatible with views_handler_filter::value_validate($form, &$form_state) in /home/prosepoint.org/bzr/public_html/profiles/prosepoint/modules/views/handlers/views_handler_filter_boolean_operator.inc on line 0.
  • strict warning: Declaration of date_api_filter_handler::value_validate() should be compatible with views_handler_filter::value_validate($form, &$form_state) in /home/prosepoint.org/bzr/public_html/profiles/prosepoint/modules/date/includes/date_api_filter_handler.inc on line 0.
  • strict warning: Non-static method view::load() should not be called statically in /home/prosepoint.org/bzr/public_html/profiles/prosepoint/modules/views/views.module on line 879.
  • strict warning: Declaration of views_plugin_row::options_validate() should be compatible with views_plugin::options_validate(&$form, &$form_state) in /home/prosepoint.org/bzr/public_html/profiles/prosepoint/modules/views/plugins/views_plugin_row.inc on line 0.
  • strict warning: Declaration of views_plugin_row::options_submit() should be compatible with views_plugin::options_submit(&$form, &$form_state) in /home/prosepoint.org/bzr/public_html/profiles/prosepoint/modules/views/plugins/views_plugin_row.inc on line 0.
A commentary

This morning (in my local timezone), I received word of a security vulnerability in an upstream component of ProsePoint. In this case, it was SA-CONTRIB-2009-046 - Date - Cross Site Scripting (http://drupal.org/node/534636) and it affects the Drupal Date module.

For most security updates, I simply patch ProsePoint, test, and release. It takes a few hours, but otherwise I just churn the handle. Usually the release is out within about 12 hours of the disclosure of the original announcement, well within the self-imposed 24 hours response time.

However, this time, patching ProsePoint will take longer and may, in fact, take longer than 24 hours. Please consider this a warning, but there is no need to be alarmed.

The vulnerability SA-CONTRIB-2009-046 is actually not exploitable in ProsePoint 'out of the box'. Given that ProsePoint has been using an old version of the Date module, the vulnerability may not exist in ProsePoint at all (but this is unconfirmed).

For any possibility that your site might be affected, you must have enabled the 'Date Copy' module and then configured it for use. If, like the majority of ProsePoint users, you have no idea what this module is, or you have not enabled it, then your site won't be affected.

However, this vulnerability still needs to be patched. Hence, there will be a ProsePoint release soon with a fix - but it may take longer than 24 hours to arrive.

The reason the new ProsePoint release may take a while is because the Date module has been a problematic one. It's had a few issues for the last few versions and I'd been holding off on upgrading it within ProsePoint in the hope that the bug(s) would clear up. Unfortunately, the security announcement has forced my hand, and I will have to upgrade it to the latest version (6.x-2.3), and then work around the bug(s). This will take longer than usual (for security related patches), but hopefully it won't take too long.

To summarise:

The security vulnerability SA-CONTRIB-2009-046 - Date - Cross Site Scripting (http://drupal.org/node/534636) does not affect ProsePoint 'out of the box'. It will not affect your site unless you have enabled a non-default date-related module.

There will be a new ProsePoint version that addresses this vulnerability, but it may take longer than 24 hours to be released.