[Security-news] SA-CONTRIB-2011-006 - Flag Page - Cross Site Scripting (XSS)
security-news at drupal.org
security-news at drupal.org
Wed Feb 2 19:43:03 UTC 2011
* Advisory ID: DRUPAL-SA-CONTRIB-2011-006
* Project: Flag page (third-party module)
* Version: 6.x
* Date: 2011-February-02
* Security risk: Moderately Critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The contributed flag page module provides an additional flag type to allow
you to flag pages so you can bookmark any URL on your site including views,
panels, administration pages or site contact page. The module does not
sanitize the flag titles when displayed in blocks, leading to a Cross-Site
Scripting (XSS [1]) vulnerability that may lead to a malicious user gaining
full administrative access. This vulnerability is mitigated by the fact that
the user must have the "administer flags" permission in order to create and
edit flags and enter the XSS.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Flag page module 6.x-2.x versions prior to 6.x-2.2
* Flag page module 6.x-1.x versions prior to 6.x-1.3
Note: If you do not use the contributed flag_page [2] module, there is
nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Flag page module for Drupal 6.x-2.x upgrade to Flag Page
6.x-2.2 [3]
* If you use the Flag page module for Drupal 6.x-1.x upgrade to Flag Page
6.x-1.3 [4]
See also the Flag page project page [5].
-------- REPORTED BY
---------------------------------------------------------
* Balazs Dianiska (snufkin) [6]
-------- FIXED BY
------------------------------------------------------------
* Balazs Dianiska (snufkin) [7]
* Alex Pott [8], module maintainer
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
form at http://drupal.org/contact. Learn more about the team and their
policies [9], writing secure code for Drupal [10], and secure configuration
[11] of your site.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/flag_page
[3] http://drupal.org/node/1046704
[4] http://drupal.org/node/1046706
[5] http://drupal.org/project/flag_page
[6] http://drupal.org/user/58645
[7] http://drupal.org/user/58645
[8] http://drupal.org/user/157725
[9] http://drupal.org/security-team
[10] http://drupal.org/writing-secure-code
[11] http://drupal.org/security/secure-configuration
More information about the Security-news
mailing list