* Advisory ID: DRUPAL-SA-CONTRIB-2009-086 * Project: OpenSocial Shindig-Integrator (third-party module) * Version: 6.x, 5.x * Date: 2009-October-86 * Security risk: Moderately Critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting
-------- DESCRIPTION ---------------------------------------------------------
The OpenSocial Shindig-Integrator module enables sites to host OpenSocial widgets. The module fails to sanitize user input, making it vulnerable to cross site scripting (XSS [1]) attacks. This vulnerability is somewhat limited by the fact that an attacker would need an account with the permissions to "create application" on the site. -------- VERSIONS AFFECTED ---------------------------------------------------
* OpenSocial Shindig-Integrator module for Drupal 6.x prior to OpenSocial Shindig-Integrator 6.x-2.1 [2] * OpenSocial Shindig-Integrator module for Drupal 5.x
Drupal core is not affected. If you do not use the contributed OpenSocial Shindig-Integrator [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Install the latest version or disable the module. * If you use the OpenSocial Shindig-Integrator module for Drupal 6.x upgrade to OpenSocial Shindig-Integrator 6.x-2.1 [4] * If you use the OpenSocial Shindig-Integrator module for Drupal 5.x, disable the module and un-install it. The 5.x branch is no longer supported.
-------- REPORTED BY ---------------------------------------------------------
* Tony Mobily
-------- FIXED BY ------------------------------------------------------------
* Astha Bhatnagar [5], module maintainer.
-------- CONTACT -------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/en/Cross_Site_Scripting [2] http://drupal.org/node/615584 [3] http://drupal.org/project/shindigintegrator [4] http://drupal.org/node/615584 [5] http://drupal.org/user/375917