[Security-news] SA-CONTRIB-2010-011 - Feedback - Cross Site Scripting

security-news at drupal.org security-news at drupal.org
Wed Jan 27 22:58:00 UTC 2010 

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-011
  * Project: Feedback (third-party module)
  * Version: 5.x, 6.x
  * Date: 2010-January-27
  * Security risk: Moderately critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

-------- DESCRIPTION  
---------------------------------------------------------

Feedback module enables users and visitors of a Drupal site to quickly send
feedback messages about the currently displayed page. When displaying reports
about submitted feedback, the module does not properly sanitize the user
agent strings from the Browscap module before display, leading to a
cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a
malicious user gaining full administrative access. Mitigating factors: this
only impacts sites which also use the Browscap module and have the "Monitor
browsers" feature enabled.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Feedback for Drupal 6.x prior to 6.x-2.1
  * Feedback for Drupal 5.x prior to 5.x-2.1

Drupal core is not affected. If you do not use the contributed Feedback
module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Upgrade to the latest version:
  * If you use Feedback for Drupal 6.x upgrade to Feedback 6.x-2.1 [2]
  * If you use Feedback for Drupal 5.x upgrade to Feedback 5.x-2.1 [3]

See also the Feedback project page [4].
-------- REPORTED BY  
---------------------------------------------------------

  * mr.baileys [5]

-------- FIXED BY  
------------------------------------------------------------

  * Daniel Kudwien [6], the module maintainer
  * Dave Reid [7]

-------- CONTACT  
-------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/697288
[3] http://drupal.org/node/697290
[4] http://drupal.org/project/feedback
[5] http://drupal.org/user/383424
[6] http://drupal.org/user/54136
[7] http://drupal.org/user/53892

More information about the Security-news mailing list