SA-CONTRIB-2011-003 - Janrain Engage (RPX) - Multiple Vulnerabilities - Security-news

19 Jan 2011


      * Advisory ID: DRUPAL-SA-CONTRIB-2011-003
  * Project: Janrain Engage (formerly RPX) (third-party module)
  * Version: 6.x
  * Date: 2011-January-19
  * Security risk: Less critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting or Arbitrary Code Execution
-------- DESCRIPTION  
---------------------------------------------------------
RPX (recently renamed Janrain Engage) is a service that acts as a middleman
between a site and external login providers like Facebook, Yahoo,
WindowsLive, etc. As part of this functionality it offers the ability to take
a user's avatar on these services and download it for use as the user's
profile photo. The module did not properly validate this file prior to saving
it in the site.
This could result in XSS or perhaps arbitrary code execution if a malicious
user is able to insert an arbitrary file instead of the profile image.
-------- VERSIONS AFFECTED  
---------------------------------------------------
* Janrain Engage / RPX module 6.x-1.3 only
Drupal core is not affected. If you do not use the contributed Janrain Engage
/ RPX module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------
Install the latest version:
* If you use the 6.x-1.3 version of the Janrain Engage / RPX module upgrade
    to the 1.4 version [1]
-------- REPORTED BY  
---------------------------------------------------------
* Greg Dunlap (heyrocker) [2]
-------- FIXED BY  
------------------------------------------------------------
* Greg Dunlap (heyrocker) [3]
  * George Katsitadze (geokat) [4]
  * Nathan Rambeck (nrambeck) [5]
  * Greg Knaddison (greggles) [6]
-------- CONTACT AND MORE INFORMATION  
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
form at http://drupal.org/contact [7].
Learn more about the team and their policies [8], writing secure code for
Drupal [9], and secure configuration [10] of your site.
[1] http://drupal.org/node/1032622
[2] http://drupal.org/user/128537
[3] http://drupal.org/user/128537
[4] http://drupal.org/user/933066
[5] http://drupal.org/user/92967
[6] http://drupal.org/user/36762
[7] http://drupal.org/contact
[8] http://drupal.org/security-team
[9] http://drupal.org/writing-secure-code
[10] http://drupal.org/security/secure-configuration