| Download | Size | md5 hash |
|---|---|---|
| wunderbar-6.x-0.6.tar.gz | 48.76 KB | b66ff601affd1d5184818bb2abd87948 |
| wunderbar-6.x-0.6.zip | 53.57 KB | ac8350c9438536612d6dc28563b886d6 |
Advisory ID: DRUPAL-SA-CONTRIB-2010-001
Project: Wunderbar! (third-party module)
Version: 6.x
Date: 01/06/2010
Security risk: Not Critical
Exploitable from: Remote
Vulnerability: Cross Site Scripting
Description
The Wunderbar! module provides a floating bar with configurable buttons and the ability to link off to social networking sites. The module does not properly escape user names, potentially allowing a cross site scripting (XSS) attack which may lead to the user gaining full administrative access. The risk is mitigated by Drupal's default configuration, which disallows some characters (<, >, &, and quotes) in user names. A site would only be vulnerable to this attack if they use an alternate means to create usernames on their site.
Versions affected
Wunderbar! versions 6.x prior to 6.x-0.6
Drupal core is not affected. If you do not use the Wunderbar! module, there is nothing you need to do.
Solution
Install the latest version: 6.x-0.6
If you use Wunderbar! for Drupal 6.x upgrade to Wunderbar! 6.x-0.6
See also the Wunderbar! project page.
Reported by
Isaac Sukin.
Fixed by
Bryan Ollendyke, the Wunderbar! project maintainer.