[Security-news] SA-CONTRIB-2009-048 - Bibliography Module - Cross Site Scripting

security-news at drupal.org security-news at drupal.org
Wed Jul 29 19:32:51 UTC 2009 

  * Advisory ID: DRUPAL-SA-CONTRIB-2009-048
  * Project: Bibliography Module (third-party module)
  * Version: 5.x, 6.x
  * Date: 2009-July-29
  * Security risk: Moderately critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

-------- DESCRIPTION  
---------------------------------------------------------

The Bibliography module (Biblio) allows users to manage and display lists of
scholarly publications. The module contains a cross site scripting
vulnerability because it does not properly sanitize output of titles before
display. A user who has the permission to create content displayed by the
Bibliography module could attempt a cross site scripting [1] (XSS) attack
which may lead to the user gaining full administrative access.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Bibliography Module versions 6.x prior to 6.x-1.6
  * Bibliography Module versions 5.x prior to 5.x-1.17

Drupal core is not affected. If you do not use the contributed Bibliography
module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Install the latest version:
  * If you use the Bibliography Module for Drupal 6.x upgrade to Bibliography
    Module 6.x-1.6 [2]
  * If you use the Bibliography Module for Drupal 5.x upgrade to Bibliography
    Module 5.x-1.17 [3]

See also the Bibliography Module project page [4].
-------- REPORTED BY  
---------------------------------------------------------

Justin Klein Keane [5].
-------- FIXED BY  
------------------------------------------------------------

Justin Klein Keane [6] and Ron Jerome [7] (the Bibliography module
maintainer).
-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/534744
[3] http://drupal.org/node/534752
[4] http://drupal.org/project/biblio
[5] http://drupal.org/user/302225
[6] http://drupal.org/user/302225
[7] http://drupal.org/user/54997

More information about the Security-news mailing list