[Security-news] SA-CONTRIB-2009-098 - Zoomify - Cross Site Scripting

security-news at drupal.org security-news at drupal.org
Wed Nov 4 22:12:56 UTC 2009


  * Advisory ID: DRUPAL-SA-CONTRIB-2009-098
  * Project: Zoomify (third-party module)
  * Version: 5.x, 6.x
  * Date: 2009-November-4
  * Security risk: Moderately Critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

-------- DESCRIPTION  
---------------------------------------------------------

The Zoomify module integrates the Zoomify Flash applet into Drupal which can
be used to pan and zoom on large images. Images are first preprocessed in
order for Zoomify to work. The module fails to sanitize a value in the node
title, leading to a Cross Site Scripting (XSS [1]) vulnerability.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Zoomify module for Drupal 6.x prior to Zoomify 6.x-1.4 [2]
  * Zoomify module for Drupal 5.x prior to Zoomify 5.x-2.2 [3]

Drupal core is not affected. If you do not use the contributed Zoomify module
[4], there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Upgrade to the latest version:
  * If you use Zoomify module for Drupal 6.x upgrade to Zoomify 6.x-1.4 [5]
  * If you use Zoomify module for Drupal 5.x upgrade to Zoomify 5.x-2.2 [6]

-------- REPORTED BY  
---------------------------------------------------------

  * Reported by Dylan Wilder-Tack [7], the module maintainer

-------- FIXED BY  
------------------------------------------------------------

  * Fixed by Karim Ratib [8], the module maintainer

-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/623434
[3] http://drupal.org/node/623436
[4] http://drupal.org/project/zoomify
[5] http://drupal.org/node/623434
[6] http://drupal.org/node/623436
[7] http://drupal.org/user/96647
[8] http://drupal.org/user/48424



More information about the Security-news mailing list