- Advisory ID: DRUPAL-SA-CONTRIB-2009-043
- Project: Image Assist (third-party module)
- Version: 5.x, 6.x
- Date: 2009-07-15
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting, Information disclosure
Description
The Image Assist module for Drupal 5.x and 6.x allows users to upload and insert inline images into posts.
Two vulnerabilities and weaknesses were discovered in the contributed Image Assist module.
Cross site scripting
The node title is treated as if it was safe text, and is not escaped before being output. A user with sufficient permissions to create image nodes could insert malicious script code into the title field. Any user with access to the Image Assist properties page or any user viewing an embedded image in a popup is vulnerable to a cross-site scripting attack. Wikipedia has more information about such cross site scripting (XSS) attacks.
Information disclosure
Some pages of the module do not properly check for required access permissions, allowing unprivileged users to view the title and body of arbitrary nodes.
Versions affected
- Image Assist for Drupal 5.x-1.x before version 5.x-1.8
- Image Assist for Drupal 5.x-2.x before version 2.0-alpha4
- Image Assist for Drupal 6.x-1.x before version 6.x-1.1
- Image Assist for Drupal 6.x-2.x before version 2.0-alpha4
- Image Assist for Drupal 6.x-3.x-dev before 2009-07-15
Drupal core is not affected. If you do not use the contributed Image Assist module, there is nothing you need to do.
Solution
Upgrade to the latest version:
- If you currently use Image Assist 5.x-1.x upgrade to Image Assist 5.x-1.8
- If you currently use Image Assist 5.x-2.x upgrade to Image Assist 5.x-2.0-alpha4
- If you currently use Image Assist 6.x-1.x upgrade to Image Assist 6.x-1.1
- If you currently use Image Assist 6.x-2.x upgrade to Image Assist 6.x-2.0-alpha4
- If you currently use Image Assist 6.x-3.x-dev upgrade to Image Assist 6.x-3.x-dev after 2009-07-15
See also the Image Assist project page.
Reported by
Fixed by
Daniel F. Kudwien (sun), the project maintainer.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.