[Security-news] SA-CONTRIB-2010-113 - Image - Cross Site Scripting

* Advisory ID: DRUPAL-SA-CONTRIB-2010-113 * Project: Image (third-party module) * Version: 5.x, 6.x * Date: 2010-December-22 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting

-------- DESCRIPTION ---------------------------------------------------------

The Image module project contains supplemental modules, one of which, Image gallery, allows users to create and maintain galleries of image nodes using taxonomy terms.

The Image gallery module does not sanitize some user-supplied data before displaying it, leading to a Cross Site Scripting (XSS [1]) vulnerability which can be used by a malicious user to gain full administrative access. *Mitigating factors*: In order to exploit this vulnerability the Image gallery module must be enabled and the attacker must have the ability to edit or create image galleries.

-------- VERSIONS AFFECTED ---------------------------------------------------

* Image module for Drupal 6.x prior to 6.x-1.1 * Image module for Drupal 5.x prior to 5.x-2.0 * Image module for Drupal 5.x prior to 5.x-1.10

Drupal core is not affected. If you do not use the contributed Image module there is nothing you need to do.

-------- SOLUTION ------------------------------------------------------------

Install the latest version:

* If you use Image for Drupal 6.x upgrade to Image 6.x-1.1 [2]. * If you use Image 5.x-2.0-alpha5 or lower for Drupal 5.x upgrade to Image 5.x-2.0 [3]. * If you use Image 5.x-1.9 or lower for Drupal 5.x upgrade to Image 5.x-1.10 [4].

See also the Image project page [5].

-------- REPORTED BY ---------------------------------------------------------

Justin Klein Keane [6]

-------- FIXED BY ------------------------------------------------------------

* sun [7], module maintainer * joachim [8], module maintainer * Justin Klein Keane [9]

-------- CONTACT -------------------------------------------------------------

The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact [10]. Learn more about the team and their policies [11], writing secure code for Drupal [12], and secure configuration [13] of your site.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/1004800 [3] http://drupal.org/node/1004802 [4] http://drupal.org/node/1004804 [5] http://drupal.org/project/image [6] http://drupal.org/user/302225 [7] http://drupal.org/user/54136 [8] http://drupal.org/user/107701 [9] http://drupal.org/user/302225 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration