[IT-SecNots] [Security-news] SA-CONTRIB-2012-008 - Video Filter - Cross Site Scripting

[security-news AT drupal.org]

  * Advisory ID: DRUPAL-SA-CONTRIB-2012-008
  * Project: Video Filter [1] (third-party module)
  * Version: 6.x, 7.x
  * Date: 2012-JANUARY-11
  * Security risk: Less critical [2]
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

-------- DESCRIPTION  
---------------------------------------------------------

The Video Filter module lets you display videos from various third party
sources. When videos from Blip.tv are shown, the module fails to sanitize
source data before display.

This vulnerability is mitigated by the fact that the attacker has to be able
to either control the source of third party data (such as via DNS hijack) or
manipulate it in transit.

-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Video Filter 6.x-2.x and 6.x-3.x versions prior to 6.x-3.0.
  * Video Filter 7.x-2.x and 7.x-3.x versions prior to 7.x-3.0.

Drupal core is not affected. If you do not use the contributed Video Filter
[3] module, there is nothing you need to do.

-------- SOLUTION  
------------------------------------------------------------

Install the latest version:

  * If you use the Video Filter module for Drupal 6.x, upgrade to Video Filter
    6.x-3.0 [4]
  * If you use the Video Filter module for Drupal 7.x, upgrade to Video Filter
    7.x-3.0 [5]

See also the Video Filter [6] project page.

-------- REPORTED BY  
---------------------------------------------------------

  * Justin Klein Keane [7]

-------- FIXED BY  
------------------------------------------------------------

  * Justin Klein Keane [8]
  * Hans Nilsson [9], module maintainer

-------- COORDINATED BY  
------------------------------------------------------

  * Dave Reid [10], Drupal Security Team member

-------- CONTACT AND MORE INFORMATION  
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [11].

Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].


[1] http://drupal.org/project/video_filter
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/video_filter
[4] http://drupal.org/node/1401798
[5] http://drupal.org/node/1401800
[6] http://drupal.org/project/video_filter
[7] http://drupal.org/user/302225
[8] http://drupal.org/user/302225
[9] http://drupal.org/user/110169
[10] http://drupal.org/user/53892
[11] http://drupal.org/contact
[12] http://drupal.org/security-team
[13] http://drupal.org/writing-secure-code
[14] http://drupal.org/security/secure-configuration

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news