* Advisory ID: DRUPAL-SA-CONTRIB-2010-017 * Project: iTweak Upload (third-party module) * Version: 6.x * Date: 2010 February 17 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting
-------- DESCRIPTION ---------------------------------------------------------
iTweak Upload does not escape file names when displaying uploaded files. This allows a malicious user with the permission to create content and upload files to perform a Cross Site Scripting [1] (XSS) attack. -------- VERSIONS AFFECTED ---------------------------------------------------
* iTweak Upload 6.x-2.x prior to 6.x-2.3 * iTweak Upload 6.x-1.x prior to 6.x-1.2
Drupal core is not affected. If you do not use the contributed iTweak Upload module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Install the latest version: * If you use iTweak Upload 6.x-1.x, upgrade to iTweak Upload 6.x-1.2 [2] * If you use iTweak Upload 6.x-2.x, upgrade to iTweak Upload 6.x-2.3 [3]
See also the iTweak Upload project page [4]. -------- REPORTED BY ---------------------------------------------------------
* Mark Piper
-------- FIXED BY ------------------------------------------------------------
* Ilya Ivanchenko [5], the iTweak Upload module maintainer.
-------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross_Site_Scripting [2] http://drupal.org/node/711072 [3] http://drupal.org/node/711074 [4] http://drupal.org/project/itweak_upload [5] http://drupal.org/user/87708