[Security-news] SA-CONTRIB-2010-092 - Advanced Book Blocks - Multiple Vulnerabilities

security-news at drupal.org security-news at drupal.org
Wed Sep 15 19:27:23 UTC 2010 

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-092
  * Project: Advanced Book Blocks (third-party module)
  * Version: 6.x
  * Date: 2010-September-15
  * Security risk: Moderately critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting, Cross Site Request Forgery

-------- DESCRIPTION  
---------------------------------------------------------

The Advanced Book Blocks module enables you to integrate with the API
provided by the JQuery Menu module (version 1.8 and higher) to provide click
and expand book menus with the ability to customize each block individually.
The module contained Cross Site Scripting vulnerabilities which could allow a
malicious user with one of several non-default permissions to inject
arbitrary javascript into the administrative pages provided by this module.
The module also contained Cross Site Request Forgery vulnerabilities which
could allow an attacker to trick an administrator into unintentionally
deleting or resetting blocks provided by this module.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Advanced Book Blocks module for Drupal 6.x versions prior to 6.x-2.2

Drupal core is not affected. If you do not use the contributed Advanced Book
Blocks [1] module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Install the latest version:
  * If you use the Advanced Book Blocks module for Drupal 6.x upgrade to
    Advanced Book Blocks 6.x-2.2 [2]

See also the Advanced Book Blocks [3].
-------- REPORTED BY  
---------------------------------------------------------

  * Matt Chapman
    , of the Drupal Security Team.

-------- FIXED BY  
------------------------------------------------------------

  * Aaron Hawkins
    , the module maintainer.
  * Matt Chapman
    , of the Drupal Security Team.

-------- CONTACT  
-------------------------------------------------------------

The Drupal security team [4] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://drupal.org/project/advancedbookblocks
[2] http://drupal.org/node/912586
[3] http://drupal.org/project/advancedbookblocks
[4] http://drupal.org/security-team

More information about the Security-news mailing list