[Security-news] SA-CONTRIB-2010-051 - Heartbeat - Cross Site Scripting

security-news at drupal.org security-news at drupal.org
Wed May 19 19:18:38 UTC 2010


  * Advisory ID: DRUPAL-SA-CONTRIB-2010-051
  * Project: Heartbeat (third-party module)
  * Version: 6.x
  * Date: 2010-May-19
  * Security risk: Critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

-------- DESCRIPTION  
---------------------------------------------------------

The Heartbeat project contains a suite of modules to display user activity on
a website. These modules do not properly sanitize some of their output,
allowing certain users the ability to insert arbitrary HTML and script code.
Such a cross site scripting (XSS [1]) attack may lead to a malicious user
gaining full administrative access. Depending on how the modules are
configured, this vulnerability may extend to relatively unprivileged users,
such as those with the ability to post comments, user "shouts" or other
content.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Heartbeat for Drupal 6.x versions prior to 6.x-4.9

Drupal core is not affected. If you do not use the contributed Heartbeat [2]
modules, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Install the latest version:
  * If you use the Heartbeat module for Drupal 6.x, update to Heartbeat
    6.x-4.9 [3].

See also the Heartbeat project page [4].
-------- REPORTED BY  
---------------------------------------------------------

Some aspects of the vulnerability were reported by Sebastian Szałachowski,
and others were reported by Jochen Stals [5] (Stalski), the module
maintainer.
-------- FIXED BY  
------------------------------------------------------------

Jochen Stals [6] (Stalski), the module maintainer, and David Rothstein [7] of
the Drupal Security Team
-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/heartbeat
[3] http://drupal.org/node/802508
[4] http://drupal.org/project/heartbeat
[5] http://drupal.org/user/322618
[6] http://drupal.org/user/322618
[7] http://drupal.org/user/124982



More information about the Security-news mailing list