[Security-news] SA-CONTRIB-2010-054 - Storm - Cross Site Scripting (XSS)

[security-news at drupal.org]

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-054
  * Project: Storm (third-party module)
  * Version: 6.x
  * Date: 2010-May-19
  * Security risk: Critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting (XSS)

-------- DESCRIPTION  
---------------------------------------------------------

The Storm project provides a group of modules for project management and
billing. The module displays data entered by users without sanitising it,
allowing for a cross site scripting [1] (XSS) attack that may lead to a
malicious user gaining full administrative access.

-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Storm project for Drupal 5.x (all versions). This branch is unsupported
    and has not been fixed. It is recommended not to use Storm for Drupal 5.x.
  * Storm project for Drupal 6.x versions prior to 6.x-1.33

Drupal core is not affected. If you do not use the contributed Storm module,
there is nothing you need to do.

-------- SOLUTION  
------------------------------------------------------------

  * If you use the Storm module for Drupal 5.x, uninstall this module
  * If you use the Storm module for Drupal 6.x, upgrade to Storm 6.x-1.33 [2]

-------- REPORTED BY  
---------------------------------------------------------

Disclosed outside the Drupal Security Team process. [3]
-------- FIXED BY  
------------------------------------------------------------

  * juliangb [4], the module maintainer

-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal [5] can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://ftp.drupal.org/files/projects/storm-6.x-1.33.tar.gz
[3] http://drupal.org/security-team#report-issue
[4] http://drupal.org/user/719472
[5] http://drupal.org/security-team