[Security-news] SA-CONTRIB-2010-073 - Multiple Vulnerabilities In Multiple Contributed Modules

security-news at drupal.org security-news at drupal.org
Wed Jul 14 20:34:36 UTC 2010


  * Advisory ID: DRUPAL-SA-CONTRIB-2010-073
  * Projects: Multiple third party modules - Simple Gallery, OG Menu, Tell A
    Friend Node, JsMath For Displaying Mathematics With TeX
  * Version: 5.x, 6.x
  * Date: 2010-July-14
  * Security risk: Moderately critical
  * Exploitable from: Remote
  * Vulnerability: Multiple (Cross Site Scripting, Email Header Injection)

-------- VERSIONS AFFECTED AND PROPOSED SOLUTIONS  
----------------------------

Simple Gallery [1] for Drupal 6.x
     This module creates a simple gallery using taxonomy and CCK imagefields.
     The module is vulnerable to a Cross Site Scripting [2] (XSS) attack. This
     can be exploited by users with the ability to add taxonomy terms or tag
     content. *Solution:* Disable the module. There is no safe version of the
     module to use.

OG Menu [3] for Drupal 6.x
     Enables users to manage menus by Organic Groups. The module is vulnerable
     to a Cross Site Scripting [4] (XSS) attack which can be exploited by
     users with the "administer og menu" permission . *Solution:* Disable the
     module. There is no safe version of the module to use.

Tell A Friend Node [5] for Drupal 6.x
     This module provides a Tell A Friend node type for creating multiple tell
     a friend pages on a site. The module is vulnerable to email header
     injection attacks by spam bots and can be abused by any user with the
     "access tellafriend nodes" permission. *Solution:* Disable the module.
     There is no safe version of the module to use.

JsMath For Displaying Mathematics With TeX [6] for Drupal 5.x and 6.x
     This module enables the jsMath script for displaying mathematical
     expressions. The module is vulnerable to a Cross Site Scripting [7] (XSS)
     attack. This vulnerability can only be exploited by users with the
     "access administration pages" permission. *Solution:* Disable the module.
     There is no safe version of the module to use.

Drupal core is not affected. If you do not use any of the module releases
above there is nothing you need to do.
-------- ONGOING MAINTENANCE OF THESE MODULES  
--------------------------------

If you are interested in taking over maintenance of a module, or branch of a
module, that is no longer supported, and are capable of fixing security
vulnerabilities, you may apply to do so using the abandoned project takeover
process [8].
-------- REPORTED BY  
---------------------------------------------------------

  * Simple Gallery issue reported by Owen Barton [9] of the Drupal Security
    Team
  * OG Menu issue reported by Justin C. Klein Keane [10]
  * Tell A Friend Node issue reported by James McDonald [11]
  * JsMath For Displaying Mathematics With TeX issue reported by Kyle Small
    [12]

-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal [13] can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
Read more about the Security Team and Security Advisories at
http://drupal.org/security.


[1] http://drupal.org/project/simplegallery
[2] http://en.wikipedia.org/wiki/Cross_Site_Scripting
[3] http://drupal.org/project/og_menu
[4] http://en.wikipedia.org/wiki/Cross_Site_Scripting
[5] http://drupal.org/project/tellafriend_node
[6] http://drupal.org/project/jsmath
[7] http://en.wikipedia.org/wiki/Cross_Site_Scripting
[8] http://drupal.org/node/251466
[9] http://drupal.org/user/19668
[10] http://drupal.org/user/302225
[11] http://drupal.org/user/418221
[12] http://drupal.org/user/832278
[13] http://drupal.org/security-team



More information about the Security-news mailing list