[Security-news] SA-CONTRIB-2010-011 - Feedback - Cross Site Scripting

0 views
Skip to first unread message

securi...@drupal.org

unread,
Jan 27, 2010, 5:58:00 PM1/27/10
to securi...@drupal.org
* Advisory ID: DRUPAL-SA-CONTRIB-2010-011
* Project: Feedback (third-party module)
* Version: 5.x, 6.x
* Date: 2010-January-27
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting

-------- DESCRIPTION
---------------------------------------------------------

Feedback module enables users and visitors of a Drupal site to quickly send
feedback messages about the currently displayed page. When displaying reports
about submitted feedback, the module does not properly sanitize the user
agent strings from the Browscap module before display, leading to a
cross-site scripting (XSS [1]) vulnerability. Such an attack may lead to a
malicious user gaining full administrative access. Mitigating factors: this
only impacts sites which also use the Browscap module and have the "Monitor
browsers" feature enabled.
-------- VERSIONS AFFECTED
---------------------------------------------------

* Feedback for Drupal 6.x prior to 6.x-2.1
* Feedback for Drupal 5.x prior to 5.x-2.1

Drupal core is not affected. If you do not use the contributed Feedback
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------

Upgrade to the latest version:
* If you use Feedback for Drupal 6.x upgrade to Feedback 6.x-2.1 [2]
* If you use Feedback for Drupal 5.x upgrade to Feedback 5.x-2.1 [3]

See also the Feedback project page [4].
-------- REPORTED BY
---------------------------------------------------------

* mr.baileys [5]

-------- FIXED BY
------------------------------------------------------------

* Daniel Kudwien [6], the module maintainer
* Dave Reid [7]

-------- CONTACT
-------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/697288
[3] http://drupal.org/node/697290
[4] http://drupal.org/project/feedback
[5] http://drupal.org/user/383424
[6] http://drupal.org/user/54136
[7] http://drupal.org/user/53892

_______________________________________________
Security-news mailing list
Securi...@drupal.org
http://lists.drupal.org/mailman/listinfo/security-news

Reply all
Reply to author
Forward
0 new messages