- Advisory ID: DRUPAL-SA-CONTRIB-2011-003
- Project: Janrain Engage (formerly RPX) (third-party module)
- Version: 6.x
- Date: 2011-January-19
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting or Arbitrary Code Execution
Description
RPX (recently renamed Janrain Engage) is a service that acts as a middleman between a site and external login providers like Facebook, Yahoo, WindowsLive, etc. As part of this functionality it offers the ability to take a user's avatar on these services and download it for use as the user's profile photo. The module did not properly validate this file prior to saving it in the site.
This could result in XSS or perhaps arbitrary code execution if a malicious user is able to insert an arbitrary file instead of the profile image.
Versions affected
- Janrain Engage / RPX module 6.x-1.3 only
Drupal core is not affected. If you do not use the contributed Janrain Engage / RPX module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the 6.x-1.3 version of the Janrain Engage / RPX module upgrade to the 1.4 version
Reported by
Fixed by
- Greg Dunlap (heyrocker)
- George Katsitadze (geokat)
- Nathan Rambeck (nrambeck)
- Greg Knaddison (greggles)
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Learn more about the team and their policies, writing secure code for Drupal, and secure configuration of your site.
