By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2009-043
  • Project: Image Assist (third-party module)
  • Version: 5.x, 6.x
  • Date: 2009-07-15
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting, Information disclosure

Description

The Image Assist module for Drupal 5.x and 6.x allows users to upload and insert inline images into posts.

Two vulnerabilities and weaknesses were discovered in the contributed Image Assist module.

Cross site scripting

The node title is treated as if it was safe text, and is not escaped before being output. A user with sufficient permissions to create image nodes could insert malicious script code into the title field. Any user with access to the Image Assist properties page or any user viewing an embedded image in a popup is vulnerable to a cross-site scripting attack. Wikipedia has more information about such cross site scripting (XSS) attacks.

Information disclosure

Some pages of the module do not properly check for required access permissions, allowing unprivileged users to view the title and body of arbitrary nodes.

Versions affected

  • Image Assist for Drupal 5.x-1.x before version 5.x-1.8
  • Image Assist for Drupal 5.x-2.x before version 2.0-alpha4
  • Image Assist for Drupal 6.x-1.x before version 6.x-1.1
  • Image Assist for Drupal 6.x-2.x before version 2.0-alpha4
  • Image Assist for Drupal 6.x-3.x-dev before 2009-07-15

Drupal core is not affected. If you do not use the contributed Image Assist module, there is nothing you need to do.

Solution

Upgrade to the latest version:

See also the Image Assist project page.

Reported by

Stefan M. Kudwien (smk-ka)

Fixed by

Daniel F. Kudwien (sun), the project maintainer.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Categories: Drupal 5.x, Drupal 6.x