[Security-news] SA-CONTRIB-2009-086 - OpenSocial Shindig-Integrator - Cross Site Scripting

security-news at drupal.org security-news at drupal.org
Wed Oct 28 21:56:19 UTC 2009 

  * Advisory ID: DRUPAL-SA-CONTRIB-2009-086
  * Project: OpenSocial Shindig-Integrator (third-party module)
  * Version: 6.x, 5.x
  * Date: 2009-October-86
  * Security risk: Moderately Critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

-------- DESCRIPTION  
---------------------------------------------------------

The OpenSocial Shindig-Integrator module enables sites to host OpenSocial
widgets. The module fails to sanitize user input, making it vulnerable to
cross site scripting (XSS [1]) attacks. This vulnerability is somewhat
limited by the fact that an attacker would need an account with the
permissions to "create application" on the site.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * OpenSocial Shindig-Integrator module for Drupal 6.x prior to OpenSocial
    Shindig-Integrator 6.x-2.1 [2]
  * OpenSocial Shindig-Integrator module for Drupal 5.x

Drupal core is not affected. If you do not use the contributed OpenSocial
Shindig-Integrator [3] module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Install the latest version or disable the module.
  * If you use the OpenSocial Shindig-Integrator module for Drupal 6.x upgrade
    to OpenSocial Shindig-Integrator 6.x-2.1 [4]
  * If you use the OpenSocial Shindig-Integrator module for Drupal 5.x,
    disable the module and un-install it. The 5.x branch is no longer
    supported.

-------- REPORTED BY  
---------------------------------------------------------

  * Tony Mobily

-------- FIXED BY  
------------------------------------------------------------

  * Astha Bhatnagar [5], module maintainer.

-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/en/Cross_Site_Scripting
[2] http://drupal.org/node/615584
[3] http://drupal.org/project/shindigintegrator
[4] http://drupal.org/node/615584
[5] http://drupal.org/user/375917

More information about the Security-news mailing list