Drupal Hostip Module Cross Site Scripting Vulnerability UPDATED
The information has been provided by Klaus Purer.
The original article can be found at: http://drupal.org/node/1802218
* Drupal Hostip 6.x-1.1 versions prior to 6.x-1.2.
Hostip enables you to query the http://www.hostip.info/ API to get the country / state information based on the user’s IP address or a specific IP passed to it. The module fails to sanitize data retrieved from an untrusted third party source, thereby exposing an arbitrary script injection vulnerability (XSS).This vulnerability is mitigated by the fact that an attacker must have either gained access to that third party source or use techniques such as DNS spoofing in order to inject malicious data.
Published: October 03 2012
Updated: November 23 2012