* Advisory ID: DRUPAL-SA-CONTRIB-2010-057 * Project: Rotor Banner (third-party module) * Versions: 6.x-2.x, 5.x-1.x * Date: 2010-March-27 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting
-------- DESCRIPTION ---------------------------------------------------------
The Rotor Banner module allows users to upload images which can then be displayed in a block and rotated through using jQuery. However, when these images are displayed, the values for the various image attributes (srs, title, alt) are not properly sanitized, leading to a cross site scripting [1] (XSS) vulnerability. XSS vulnerabilities may expose site administrative accounts which could lead to a variety of additional compromises. This vulnerability is mitigated by the fact that an attacker must have the "create rotor item" or "edit any rotor item" permissions, which should generally only be granted to trusted roles.
-------- VERSIONS AFFECTED ---------------------------------------------------
* Rotor Banner module for Drupal 5.x versions prior to 5.x-1.8, and for Drupal 6.x versions prior to 6.x-2.5.
Drupal core is not affected. If you do not use the contributed Rotor Banner module, there is nothing you need to do. Solution Install the latest version. * If you use the Rotor Banner module for Drupal 6.x-2.x upgrade to Rotor Banner 6.x-2.5 * If you use the Rotor Banner module for Drupal 5.x-1.x upgrade to Rotor Banner 5.x-1.8 Reported by * Martin Barbella (http://drupal.org/user/633600) Fixed by * mrfelton the module maintainer. Contact The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.