[Security-news] SA-CONTRIB-2009-065 - Browscap - Cross Site Scripting
security-news at drupal.org
security-news at drupal.org
Wed Sep 30 18:17:24 UTC 2009
* Advisory ID: DRUPAL-SA-CONTRIB-2009-065
* Project: Browscap (third-party module)
* Version: 5.x, 6.x
* Date: 2009-September-30
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Browscap module provides a way to identify the visitors to your site
based on the user agent in their browser. It can also record these user agent
strings and provide reports about them. When displaying reports about
visitors, the module does not properly sanitize the user agent strings before
display, leading to a cross-site scripting (XSS [1]) vulnerability. Such an
attack may lead to a malicious user gaining full administrative access.
Mitigating factors: this only impacts sites which use the "Monitor browsers"
feature.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Browscap versions 6.x prior to 6.x-1.1
* Browscap versions 5.x prior to 5.x-1.1
Drupal core is not affected. If you do not use the contributed Browscap
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Browscap for Drupal 6.x upgrade to Browscap 6.x-1.1 [2]
* If you use the Browscap for Drupal 5.x upgrade to Browscap 5.x-1.1 [3]
See also the Browscap module project page [4].
-------- REPORTED BY
---------------------------------------------------------
Greg Knaddison [5] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
Greg Knaddison [6] of the Drupal Security Team with help from Rob Loach [7]
and Mike Ryan [8] and Dave Reid [9] of the Drupal Security Team.
-------- CONTACT
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/592264
[3] http://drupal.org/node/592262
[4] http://drupal.org/project/browscap
[5] http://drupal.org/user/36762
[6] http://drupal.org/user/36762
[7] http://drupal.org/user/61114
[8] http://drupal.org/user/4420
[9] http://drupal.org/user/53892
More information about the Security-news
mailing list