Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-095 - Lightbox2 - Multiple Vulnerabilities

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-095 - Lightbox2 - Multiple Vulnerabilities


Chronologisch Thread 
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-095 - Lightbox2 - Multiple Vulnerabilities
  • Date: Wed, 22 Sep 2010 18:33:00 +0000 (UTC)
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>

* Advisory ID: DRUPAL-SA-CONTRIB-2010-095
* Project: Lightbox2 (third-party module)
* Version: 5.x, 6.x
* Date: 2010-September-22
* Security risk: Highly Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass, Cross-Site Scripting

-------- DESCRIPTION
---------------------------------------------------------

The Lightbox2 module enables images to be overlaid on the current page using
JavaScript. The module displays images above the page instead of within it,
freeing the page design from layout constraints and keeping users on the same
page.

The module does not sanitize some of the user supplied data before displaying
it, leading to a Cross Site Scripting (XSS [1]) vulnerability which can be
used by a malicious user to gain full administrative access.

The Lightbox2 module also enables Embedded Media Field [2] and Acidfree [3]
videos to be displayed in a modal popup. In some cases checks on the user's
field level access to the source video were not carried out correctly,
allowing direct queries to the backend URL resulting in the display of videos
which the user would otherwise be unable to access.

-------- VERSIONS AFFECTED
---------------------------------------------------

* Lightbox2 module for Drupal 6.x versions prior to 6.x-1.10
* Lightbox2 module for Drupal 5.x versions prior to 5.x-2.10

Drupal core is not affected. If you do not use the contributed Lightbox2 [4]
module there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

* If you use the Lightbox2 module for Drupal 6.x upgrade to Lightbox2
6.x-1.10 [5]
* If you use the Lightbox2 module for Drupal 5.x upgrade to Lightbox2
5.x-2.10 [6]

See also the Lightbox2 project page [7].

-------- REPORTED BY
---------------------------------------------------------

* mr.baileys [8], of the Drupal Security Team
* Jakub Suchy (meba) [9], of the Drupal Security Team
* Stella Power (stella) [10], module maintainer
* hefox [11]

-------- FIXED BY
------------------------------------------------------------

* Stella Power (stella) [12], module maintainer

-------- CONTACT
-------------------------------------------------------------

The Drupal security team [13] can be reached at security at drupal.org or via
the form at http://drupal.org/contact [14].


[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/emfield
[3] http://drupal.org/project/acidfree
[4] http://drupal.org/project/lightbox2
[5] http://drupal.org/node/919648
[6] http://drupal.org/node/919636
[7] http://drupal.org/project/lightbox2
[8] http://drupal.org/user/383424
[9] http://drupal.org/user/31977
[10] http://drupal.org/user/66894
[11] http://drupal.org/user/426416
[12] http://drupal.org/user/66894
[13] http://drupal.org/security-team
[14] http://drupal.org/contact

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news



  • [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-095 - Lightbox2 - Multiple Vulnerabilities, security-news, 22.09.2010

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang