- Advisory ID: DRUPAL-SA-CONTRIB-2010-001
- Project: Wunderbar! (third-party module)
- Version: 6.x
- Date: 2010-January-6
- Security risk: Not Critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
The Wunderbar! module provides a floating bar with configurable buttons and the ability to link off to social networking sites. The module does not properly escape user names, potentially allowing a cross site scripting (XSS) attack which may lead to the user gaining full administrative access. The risk is mitigated by Drupal's default configuration, which disallows some characters (<, >, &, and quotes) in user names. A site would only be vulnerable to this attack if it uses an alternate means to create usernames.
Versions affected
- Wunderbar! versions 6.x prior to 6.x-0.6
Drupal core is not affected. If you do not use the Wunderbar! module, there is nothing you need to do.
Solution
Install the latest version:
- If you use Wunderbar! for Drupal 6.x upgrade to Wunderbar! 6.x-0.6
See also the Wunderbar! project page.
Reported by
Fixed by
Bryan Ollendyke, the Wunderbar! project maintainer.
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
