* Advisory ID: DRUPAL-SA-CONTRIB-2009-064 * Project: Bibliography module (third-party module) * Version: 6.x * Date: 2009-September-30 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting
-------- DESCRIPTION ---------------------------------------------------------
The Bibliography module (also known as Biblio) allows users manage and display lists of scholarly publications. The Biblio module creates customized views in order to display these listings, and these listings contain text entered by users with the 'create biblio' permission. In some cases, the module does not properly sanitize the text, leading to a cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. -------- VERSIONS AFFECTED ---------------------------------------------------
* Bibliography module versions 6.x prior to 6.x-1.7
Drupal core is not affected. If you do not use the contributed Bibliography module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Install the latest version: * If you use the Bibliography module for Drupal 6.x upgrade to Bibliography module 6.x-1.7 [2]
See also the Bibliography module project page [3]. -------- REPORTED BY ---------------------------------------------------------
Justin C. Klein Keane [4] -------- FIXED BY ------------------------------------------------------------
Ron Jerome [5] the module maintainer. -------- CONTACT -------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/592174 [3] http://drupal.org/project/biblio [4] http://drupal.org/user/302225 [5] http://drupal.org/user/54997