[IT-SecNots] [Security-news] SA-CONTRIB-2010-113 - Image - Cross Site Scripting

[security-news AT drupal.org]

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-113
  * Project: Image (third-party module)
  * Version: 5.x, 6.x
  * Date: 2010-December-22
  * Security risk: Critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

-------- DESCRIPTION  
---------------------------------------------------------

The Image module project contains supplemental modules, one of which, Image
gallery, allows users to create and maintain galleries of image nodes using
taxonomy terms.

The Image gallery module does not sanitize some user-supplied data before
displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability
which can be used by a malicious user to gain full administrative access.
*Mitigating factors*: In order to exploit this vulnerability the Image
gallery module must be enabled and the attacker must have the ability to edit
or create image galleries.

-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Image module for Drupal 6.x prior to 6.x-1.1
  * Image module for Drupal 5.x prior to 5.x-2.0
  * Image module for Drupal 5.x prior to 5.x-1.10

Drupal core is not affected. If you do not use the contributed Image module
there is nothing you need to do.

-------- SOLUTION  
------------------------------------------------------------

Install the latest version:

  * If you use Image for Drupal 6.x upgrade to Image 6.x-1.1 [2].
  * If you use Image 5.x-2.0-alpha5 or lower for Drupal 5.x upgrade to Image
    5.x-2.0 [3].
  * If you use Image 5.x-1.9 or lower for Drupal 5.x upgrade to Image 5.x-1.10
    [4].

See also the Image project page [5].

-------- REPORTED BY  
---------------------------------------------------------

Justin Klein Keane [6]

-------- FIXED BY  
------------------------------------------------------------

  * sun [7], module maintainer
  * joachim [8], module maintainer
  * Justin Klein Keane [9]

-------- CONTACT  
-------------------------------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
form at http://drupal.org/contact [10].
Learn more about the team and their policies [11], writing secure code for
Drupal [12], and secure configuration [13] of your site.


[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/1004800
[3] http://drupal.org/node/1004802
[4] http://drupal.org/node/1004804
[5] http://drupal.org/project/image
[6] http://drupal.org/user/302225
[7] http://drupal.org/user/54136
[8] http://drupal.org/user/107701
[9] http://drupal.org/user/302225
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news