[Security-news] SA-CONTRIB-2010-004 - Node block - Cross site scripting
security-news at drupal.org
security-news at drupal.org
Wed Jan 13 17:36:16 UTC 2010
* Advisory ID: DRUPAL-SA-CONTRIB-2010-004
* Project: Node Block (third-party module)
* Version: 6.13, 5.11
* Date: 2010-January-13
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module allows you to specify content type(s) as being a block. This
allows the content managers of the site to edit the block text and title
without having to access the block administration page. Users only need edit
access to that node in order to edit it. Users with administer block access
will see region and weight options on the node form. The Node Block module
creates a block from specified content type(s). Node block doesn't properly
escape titles allowing users with permissions to create/edit the specified
content type(s) to inject arbitrary code into the site. Such a cross site
scripting (XSS) attack may lead to a malicious user gaining full
administrative access.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Node Blocks module 5.x-1.1 and prior versions
* Node Blocks module 6.x-1.3 and prior versions
Drupal core is not affected. If you do not use the contributed Feed Block
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Node Blocks module for Drupal 5.x upgrade to Node Blocks
5.x-1.2 [1]
* If you use the Node Blocks module for Drupal 6.x upgrade to Node Blocks
6.x-1.4 [2]
See also the Node Block project page [3].
-------- REPORTED BY
---------------------------------------------------------
Martin Barbella [4] and Khalid Baheyeldin [5]
-------- FIXED BY
------------------------------------------------------------
Thomas Turnbull [6].
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://drupal.org/node/683586
[2] http://drupal.org/node/683584
[3] http://drupal.org/project/nodeblock
[4] http://drupal.org/user/633600
[5] http://drupal.org/user/4063
[6] http://drupal.org/user/125573
More information about the Security-news
mailing list