[Security-news] SA-CONTRIB-2009-064 - Bibliography module - Cross Site Scripting
security-news at drupal.org
security-news at drupal.org
Wed Sep 30 16:35:54 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-064
* Project: Bibliography module (third-party module)
* Version: 6.x
* Date: 2009-September-30
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Bibliography module (also known as Biblio) allows users manage and
display lists of scholarly publications. The Biblio module creates customized
views in order to display these listings, and these listings contain text
entered by users with the 'create biblio' permission. In some cases, the
module does not properly sanitize the text, leading to a cross-site scripting
(XSS [1]) vulnerability. Such an attack may lead to a malicious user gaining
full administrative access.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Bibliography module versions 6.x prior to 6.x-1.7
Drupal core is not affected. If you do not use the contributed Bibliography
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Bibliography module for Drupal 6.x upgrade to Bibliography
module 6.x-1.7 [2]
See also the Bibliography module project page [3].
-------- REPORTED BY
---------------------------------------------------------
Justin C. Klein Keane [4]
-------- FIXED BY
------------------------------------------------------------
Ron Jerome [5] the module maintainer.
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/592174
[3] http://drupal.org/project/biblio
[4] http://drupal.org/user/302225
[5] http://drupal.org/user/54997
More information about the Security-news
mailing list