Downloads

Download tar.gz 48.76 KB
MD5: b66ff601affd1d5184818bb2abd87948
SHA-1: 25bb1b64bcd52b65ae3480ab4b832f8474837a99
SHA-256: 4d6b25d2481a19c3a1042613eef8560c9ab43c8df213e10171a1c0443ad03e49
Download zip 53.57 KB
MD5: ac8350c9438536612d6dc28563b886d6
SHA-1: aa319d4b6d09c9b22f17fc985e7d9b3ae2bbb483
SHA-256: e632a30173c7dee6bfb857ffce9093794b31ff939377ff44f1d14cd098f3290d

Release notes

Advisory ID: DRUPAL-SA-CONTRIB-2010-001
Project: Wunderbar! (third-party module)
Version: 6.x
Date: 01/06/2010
Security risk: Not Critical
Exploitable from: Remote
Vulnerability: Cross Site Scripting
Description
The Wunderbar! module provides a floating bar with configurable buttons and the ability to link off to social networking sites. The module does not properly escape user names, potentially allowing a cross site scripting (XSS) attack which may lead to the user gaining full administrative access. The risk is mitigated by Drupal's default configuration, which disallows some characters (<, >, &, and quotes) in user names. A site would only be vulnerable to this attack if they use an alternate means to create usernames on their site.

Versions affected
Wunderbar! versions 6.x prior to 6.x-0.6
Drupal core is not affected. If you do not use the Wunderbar! module, there is nothing you need to do.

Solution
Install the latest version: 6.x-0.6

If you use Wunderbar! for Drupal 6.x upgrade to Wunderbar! 6.x-0.6
See also the Wunderbar! project page.

Reported by
Isaac Sukin.

Fixed by
Bryan Ollendyke, the Wunderbar! project maintainer.

Created by: btopro
Created on: 6 Jan 2010 at 14:31 UTC
Last updated: 6 Jan 2010 at 19:22 UTC
Git tag 6.x-0.6
Security update
Bug fixes
Unsupported

Other releases