* Advisory ID: DRUPAL-SA-CONTRIB-2010-012 * Project: ODF Import (third-party module) * Version: 6.x-1.0 * Date: 2010-February-3 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting
-------- DESCRIPTION ---------------------------------------------------------
ODF Import module enables users of a Drupal site to import content created in the ODF format (e.g. using OpenOffice.org). When importing content it always used an input format which might not be available to the user importing the content leading to a cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining full administrative access. Mitigating factors: this only impacts sites which also use the ODF Import module, where users have the "import odf" permission. -------- VERSIONS AFFECTED ---------------------------------------------------
* ODF Import for Drupal 6.x prior to 6.x-1.0
Drupal core is not affected. If you do not use the contributed ODF Import module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Upgrade to the latest version: * If you use ODF Import for Drupal 6.x upgrade to ODF Import 6.x-1.1 [2]
See also the ODF Import project page [3]. -------- REPORTED BY ---------------------------------------------------------
* Frederic G. Marand [4]
-------- FIXED BY ------------------------------------------------------------
* Vivek Khurana [5], the module maintainer
-------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting [2] http://drupal.org/node/702470 [3] http://drupal.org/project/odfimport [4] http://drupal.org/user/27985 [5] http://drupal.org/user/407445