[IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-024 - eTracker - Cross Site Scripting

[security-news AT drupal.org]

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-024
  * Project: eTracker (third-party module)
  * Version: 6.x-1.1
  * Date: 2010-March-03
  * Security risk: Moderately Critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

-------- DESCRIPTION  
---------------------------------------------------------

The eTracker module provides integration of a Drupal site with the eTracker
web traffic analysis service and takes the current URL as a parameter to
track what pages have been visited. The URL from the browser is forwarded to
JavaScript in the current page, and because the URL wasn't sanitised, it
could have allowed cross-site scripting attacks by appending malicious code
to the URL.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * eTracker prior to 6.x-1.2.

Drupal core is not affected. If you do not use the contributed eTracker
module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Install the latest version:
  * If you use eTracker for Drupal 6.x upgrade to eTracker 6.x-1.2 [1]

See also the eTracker project page [2].
-------- REPORTED BY  
---------------------------------------------------------

  * Andreas Harder

-------- FIXED BY  
------------------------------------------------------------

  * Jürgen Haas (jurgenhaas [3]), the module maintainer.

-------- CONTACT  
-------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://drupal.org/node/731018
[2] http://drupal.org/project/eTracker
[3] http://drupal.org/user/168924

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news