• Advisory ID: DRUPAL-SA-CONTRIB-2010-073
  • Projects: Multiple third party modules - Simple Gallery, OG Menu, Tell A Friend Node, JsMath For Displaying Mathematics With TeX
  • Version: 5.x, 6.x
  • Date: 2010-July-14
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Multiple (Cross Site Scripting, Email Header Injection)

Versions affected and proposed solutions

Simple Gallery for Drupal 6.x
This module creates a simple gallery using taxonomy and CCK imagefields. The module is vulnerable to a Cross Site Scripting (XSS) attack. This can be exploited by users with the ability to add taxonomy terms or tag content.
Solution: Disable the module. There is no safe version of the module to use.
OG Menu for Drupal 6.x
Enables users to manage menus by Organic Groups. The module is vulnerable to a Cross Site Scripting (XSS) attack which can be exploited by users with the "administer og menu" permission .
Solution: Disable the module. There is no safe version of the module to use. Update: Version 6.x-2.1 has been released and fixes the issue.
Tell A Friend Node for Drupal 6.x
This module provides a Tell A Friend node type for creating multiple tell a friend pages on a site. The module is vulnerable to email header injection attacks by spam bots and can be abused by any user with the "access tellafriend nodes" permission.
Solution: Disable the module. There is no safe version of the module to use.
JsMath For Displaying Mathematics With TeX for Drupal 5.x and 6.x
This module enables the jsMath script for displaying mathematical expressions. The module is vulnerable to a Cross Site Scripting (XSS) attack. This vulnerability can only be exploited by users with the "access administration pages" permission.
Solution: Disable the module. There is no safe version of the module to use.

Drupal core is not affected. If you do not use any of the module releases above there is nothing you need to do.

Ongoing Maintenance of these modules

If you are interested in taking over maintenance of a module, or branch of a module, that is no longer supported, and are capable of fixing security vulnerabilities, you may apply to do so using the abandoned project takeover process.

Reported by

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Read more about the Security Team and Security Advisories at http://drupal.org/security.