[Security-news] SA-2009-043 - Image Assist - Multiple vulnerabilities
security-news at drupal.org
security-news at drupal.org
Wed Jul 15 23:30:10 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-043
* Project: Image Assist (third-party module)
* Version: 5.x, 6.x
* Date: 2009-07-15
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross site scripting, Information disclosure
-------- DESCRIPTION
---------------------------------------------------------
The Image Assist module for Drupal 5.x and 6.x allows users to upload and
insert inline images into posts. Two vulnerabilities and weaknesses were
discovered in the contributed Image Assist module.
.... Cross site scripting
The node title is treated as if it was safe text, and is not escaped before
being output. A user with sufficient permissions to create image nodes could
insert malicious script code into the title field. Any user with access to
the Image Assist properties page or any user viewing an embedded image in a
popup is vulnerable to a cross-site scripting attack. Wikipedia has more
information about such cross site scripting [1] (XSS) attacks.
.... Information disclosure
Some pages of the module do not properly check for required access
permissions, allowing unprivileged users to view the title and body of
arbitrary nodes.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Image Assist for Drupal 5.x-1.x before version 5.x-1.8
* Image Assist for Drupal 5.x-2.x before version 2.0-alpha4
* Image Assist for Drupal 6.x-1.x before version 6.x-1.1
* Image Assist for Drupal 6.x-2.x before version 2.0-alpha4
* Image Assist for Drupal 6.x-3.x-dev before 2009-07-15
Drupal core is not affected. If you do not use the contributed Image Assist
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Upgrade to the latest version:
* If you currently use Image Assist 5.x-1.x upgrade to Image Assist 5.x-1.8
[2]
* If you currently use Image Assist 5.x-2.x upgrade to Image Assist
5.x-2.0-alpha4 [3]
* If you currently use Image Assist 6.x-1.x upgrade to Image Assist 6.x-1.1
[4]
* If you currently use Image Assist 6.x-2.x upgrade to Image Assist
6.x-2.0-alpha4 [5]
* If you currently use Image Assist 6.x-3.x-dev upgrade to Image Assist
6.x-3.x-dev after 2009-07-15
See also the Image Assist project page [6].
-------- REPORTED BY
---------------------------------------------------------
Stefan M. Kudwien (smk-ka) [7]
-------- FIXED BY
------------------------------------------------------------
Daniel F. Kudwien (sun) [8], the project maintainer.
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Xss
[2] http://drupal.org/node/520592
[3] http://drupal.org/node/520586
[4] http://drupal.org/node/520590
[5] http://drupal.org/node/520584
[6] http://drupal.org/project/img_assist
[7] http://drupal.org/user/48898
[8] http://drupal.org/user/54136
More information about the Security-news
mailing list