[Security-news] SA-CONTRIB-2010-012 - ODF Import - Access Bypass (possible Cross Site Scripting)
security-news at drupal.org
security-news at drupal.org
Wed Feb 3 15:56:59 UTC 2010
* Advisory ID: DRUPAL-SA-CONTRIB-2010-012
* Project: ODF Import (third-party module)
* Version: 6.x-1.0
* Date: 2010-February-3
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
ODF Import module enables users of a Drupal site to import content created in
the ODF format (e.g. using OpenOffice.org). When importing content it always
used an input format which might not be available to the user importing the
content leading to a cross-site scripting (XSS [1]) vulnerability. Such an
attack may lead to a malicious user gaining full administrative access.
Mitigating factors: this only impacts sites which also use the ODF Import
module, where users have the "import odf" permission.
-------- VERSIONS AFFECTED
---------------------------------------------------
* ODF Import for Drupal 6.x prior to 6.x-1.0
Drupal core is not affected. If you do not use the contributed ODF Import
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Upgrade to the latest version:
* If you use ODF Import for Drupal 6.x upgrade to ODF Import 6.x-1.1 [2]
See also the ODF Import project page [3].
-------- REPORTED BY
---------------------------------------------------------
* Frederic G. Marand [4]
-------- FIXED BY
------------------------------------------------------------
* Vivek Khurana [5], the module maintainer
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/702470
[3] http://drupal.org/project/odfimport
[4] http://drupal.org/user/27985
[5] http://drupal.org/user/407445
More information about the Security-news
mailing list