[Security-news] SA-CONTRIB-2010-057 - Rotor Banner - Cross Site Scripting (XSS)

[security-news at drupal.org]

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-057
  * Project: Rotor Banner (third-party module)
  * Versions: 6.x-2.x, 5.x-1.x
  * Date: 2010-March-27
  * Security risk: Less Critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

-------- DESCRIPTION  
---------------------------------------------------------

The Rotor Banner module allows users to upload images which can then be
displayed in a block and rotated through using jQuery. However, when these
images are displayed, the values for the various image attributes (srs,
title, alt) are not properly sanitized, leading to a cross site scripting [1]
(XSS) vulnerability. XSS vulnerabilities may expose site administrative
accounts which could lead to a variety of additional compromises. This
vulnerability is mitigated by the fact that an attacker must have the "create
rotor item" or "edit any rotor item" permissions, which should generally only
be granted to trusted roles.

-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Rotor Banner module for Drupal 5.x versions prior to 5.x-1.8, and for
    Drupal 6.x versions prior to 6.x-2.5.

Drupal core is not affected. If you do not use the contributed Rotor Banner
module, there is nothing you need to do. Solution Install the latest version.
* If you use the Rotor Banner module for Drupal 6.x-2.x upgrade to Rotor
Banner 6.x-2.5 * If you use the Rotor Banner module for Drupal 5.x-1.x
upgrade to Rotor Banner 5.x-1.8 Reported by * Martin Barbella
(http://drupal.org/user/633600) Fixed by * mrfelton the module maintainer.
Contact The security team for Drupal can be reached at security at drupal.org
or via the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting