[Security-news] SA-CONTRIB-2011-049 - Cumulus - Cross Site Scripting (XSS)
security-news at drupal.org
security-news at drupal.org
Wed Oct 12 19:39:20 UTC 2011
* Advisory ID: DRUPAL-SA-CONTRIB-2011-049
* Project: Cumulus [1] (third-party module)
* Version: 5.x, 6.x
* Date: 2011-October-12
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting (XSS)
-------- DESCRIPTION
---------------------------------------------------------
The Cumulus module allows you to display your site's tags using a 3D Flash
animation.
The module ships with a Flash file (cumulus.swf) that contains a cross site
scripting (XSS) vulnerability that can be exploited when a user is made to
view a specially crafted URL. If the user is logged in to an administrative
account, the script can take actions using their permissions or disclose
sensitive information to a third party.
This vulnerability is mitigated by the fact that user being attacked must be
logged in to the site with a privileged account and tricked into visiting a
specially crafted URL.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Cumulus versions prior to 6.x-1.5 [3]
Because the vulnerability is in a Flash file that ships with the module
rather than in the Drupal code itself, any site that has a vulnerable version
of the module in its file system (regardless of whether the module is enabled
or not) is potentially affected. The same is true for any custom modules or
themes on the site into which a copy of the cumulus.swf file may have been
made.
Drupal core is not affected. If you do not have the contributed Cumulus [4]
module in your site's file system, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you have the Cumulus module anywhere on your site's file system,
upgrade to Cumulus 6.x-1.5 [5] (or remove the module if you are no longer
using it).
Note: all Drupal 5.x modules are not supported, including the Cumulus module
for 5.x. If you use Drupal 5.x you should upgrade now.
See also the Cumulus [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* The vulnerability was publicly disclosed.
-------- FIXED BY
------------------------------------------------------------
* Florian Weber [7], one of the Cumulus module maintainers
-------- COORDINATED BY
------------------------------------------------------
* David Rothstein [8] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [9].
Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].
[1] http://drupal.org/project/cumulus
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/node/1304616
[4] http://drupal.org/project/cumulus
[5] http://drupal.org/node/1304616
[6] http://drupal.org/project/cumulus
[7] http://drupal.org/user/254778
[8] http://drupal.org/user/124982
[9] http://drupal.org/contact
[10] http://drupal.org/security-team
[11] http://drupal.org/writing-secure-code
[12] http://drupal.org/security/secure-configuration
More information about the Security-news
mailing list