[Security-news] SA-CONTRIB-2009-092 - S5 Presentation Player Cross Site Scripting

[security-news at drupal.org]

  * Advisory ID: DRUPAL-SA-CONTRIB-2009-092
  * Project: S5 Presentation Player (third-party module)
  * Version: 6.x
  * Date: 2009 November 4
  * Security risk: Less critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

-------- DESCRIPTION  
---------------------------------------------------------

The S5 Presentation Player module enables the creation of an S5 slideshow
using content from the site. The module does not properly sanitize user
supplied text it includes in the HTML HEAD section, leading to a cross-site
scripting (XSS [1]) vulnerability. Such an attack may lead to a malicious
user gaining full administrative access.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * S5 Presentation Player 6.x-1.x prior to 6.x-1.1

Drupal core is not affected. If you do not use the contributed S5
Presentation Player module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Install the latest version:
  * If you use the S5 Presentation Player for Drupal 6.x-1.x upgrade to S5
    Presentation Player 6.x-1.1 [2]

See also the S5 Presentation Player module project page [3].
-------- REPORTED BY  
---------------------------------------------------------

  * Gábor Hojtsy [4] of the Drupal Security team

-------- FIXED BY  
------------------------------------------------------------

  * Greg Knaddison [5], the module maintainer, of the Drupal Security team

-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/617136
[3] http://drupal.org/project/s5
[4] http://drupal.org/user/4166
[5] http://drupal.org/user/36762