Drupal Hostip Module Cross Site Scripting Vulnerability UPDATED


The Hostip module for Drupal is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.


The information has been provided by Klaus Purer.
The original article can be found at: http://drupal.org/node/1802218


Vulnerable Systems:
 * Drupal Hostip 6.x-1.1 versions prior to 6.x-1.2.

Hostip enables you to query the http://www.hostip.info/ API to get the country / state information based on the user’s IP address or a specific IP passed to it. The module fails to sanitize data retrieved from an untrusted third party source, thereby exposing an arbitrary script injection vulnerability (XSS).This vulnerability is mitigated by the fact that an attacker must have either gained access to that third party source or use techniques such as DNS spoofing in order to inject malicious data.

Patch Availability:

Disclosure Timeline:
Published: October 03 2012
Updated: November 23 2012

Categories: News