[Security-news] PSA-2011-002 - External libraries and plugins

security-news at drupal.org security-news at drupal.org
Wed Jun 15 19:39:18 UTC 2011 

  * Advisory ID: PSA-2011-002
  * Date: 2011-June-15
  * Project: External libraries and plugins

-------- DESCRIPTION  
---------------------------------------------------------

Just like there's a need to dilligently follow announcements and update
contributed modules downloaded from Drupal.org, there's also a need to follow
announcements by vendors of third-party libraries or plugins that are
required by such modules. Drupal's update module has no functionality to
alert you to these announcements. The Drupal security team will not release
announcements about security issues in external libraries and plugins. The
specific issue precipitating this public service announcement is a cross site
scripting vulnerability in (F)CKEditor, a common JavaScript-based WYSIWYG
editor used as a library in the modules CKeditor [1], FCKEditor [2] and
WYSIWYG [3]. Exploit examples are circulating.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * CKEditor versions prior to version 3.5.4
  * FCKEditor versions prior to version 2.6.4.1

-------- SOLUTION  
------------------------------------------------------------

Follow release announcements by the vendors of the external libraries and
plugins you use. In this specific case, remove the _samples directory from
the (f)ckeditor installation or upgrade to a non-vulnerable version. Make
sure to test compatibility between Drupal modules and new library versions
before deploying.
-------- REPORTED BY  
---------------------------------------------------------

The Drupal security was alerted to this issue by Henry Sudhof [4].
-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://drupal.org/project/ckeditor
[2] http://drupal.org/project/fckeditor
[3] http://drupal.org/project/wysiwyg
[4] http://drupal.org/node/874498

More information about the Security-news mailing list