[IT-SecNots] [Security-news] SA-CONTRIB-2011-025 - Juitter & Download Count - Cross Site Scripting (XSS)

[security-news AT drupal.org]

  * Advisory ID: DRUPAL-SA-CONTRIB-2011-025
  * Project: Juitter - jQuery Twitter live search feeds [1] and Download Count
    [2] (third-party modules)
  * Version: 6.x
  * Date: 2011-June-22
  * Security risk: Less critical [3]
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

-------- DESCRIPTION  
---------------------------------------------------------

Two modules are being unsupported due to cross site scripting issues. The
Juitter module enables you to use Juitter, a jQuery plugin, to put live
Twitter search results on your site. The Juitter module contains a cross site
scripting (XSS [4]) vulnerability that can be exploited when setting up the
module or translating the module's text strings. This vulnerability is
mitigated by the fact that an attacker must have a role with the permission
"administer juitter settings" or be able to translate text strings. The
Download Count module tracks downloads of files from a site. The Download
Count module contains a cross site scripting (XSS [5]) vulnerability. This
vulnerability is mitigated by the fact that an attacker must have a role with
the permission "administer download count".
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Juitter module: 6.x-1.3
  * Download Count module: 6.x-1.x, 6.x-2.x

Drupal core is not affected. If you do not use the contributed Juitter -
jQuery Twitter live search feeds [6] or the Download Count [7] module, there
is nothing you need to do.

-------- SOLUTION  
------------------------------------------------------------

Disable the Juitter module and remove the module from your filesystem. There
is no fixed version of the Juitter module available.

Disable the Download Count module and remove the module from your filesystem.
There is no fixed version of the Juitter module available.

See also the Juitter - jQuery Twitter live search feeds project page [8] and
the Download Count [9] project page .

-------- REPORTED BY  
---------------------------------------------------------

  * Maurits Lawende [10] identified the Juitter issue.
  * Justin Klein Keane [11] identified the Download Count issue.

-------- FIXED BY  
------------------------------------------------------------

These modules have not been fixed, please disable and remove the module from
your file system.

-------- CONTACT AND MORE INFORMATION  
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].

Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].


[1] http://drupal.org/project/juitter
[2] http://drupal.org/project/download_count
[3] http://drupal.org/security-team/risk-levels
[4] http://en.wikipedia.org/wiki/Cross-site_scripting
[5] http://en.wikipedia.org/wiki/Cross-site_scripting
[6] http://drupal.org/project/juitter
[7] http://drupal.org/project/download_count
[8] http://drupal.org/project/juitter
[9] http://drupal.org/project/download_count
[10] http://drupal.org/user/243897
[11] http://drupal.org/user/302225
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news