SA-CONTRIB-2010-095 - Lightbox2 - Multiple Vulnerabilities

• Advisory ID: DRUPAL-SA-CONTRIB-2010-095
• Project: Lightbox2 (third-party module)
• Version: 5.x, 6.x
• Date: 2010-September-22
• Security risk: Highly Critical
• Exploitable from: Remote
• Vulnerability: Access Bypass, Cross-Site Scripting

Description

The Lightbox2 module enables images to be overlaid on the current page using JavaScript. The module displays images above the page instead of within it, freeing the page design from layout constraints and keeping users on the same page.

The module does not sanitize some of the user supplied data before displaying it, leading to a Cross Site Scripting (XSS) vulnerability which can be used by a malicious user to gain full administrative access.

The Lightbox2 module also enables Embedded Media Field and Acidfree videos to be displayed in a modal popup. In some cases checks on the user's field level access to the source video were not carried out correctly, allowing direct queries to the backend URL resulting in the display of videos which the user would otherwise be unable to access.

Versions affected

• Lightbox2 module for Drupal 6.x versions prior to 6.x-1.10
• Lightbox2 module for Drupal 5.x versions prior to 5.x-2.10

Drupal core is not affected. If you do not use the contributed Lightbox2 module there is nothing you need to do.

Solution

Install the latest version:

• If you use the Lightbox2 module for Drupal 6.x upgrade to Lightbox2 6.x-1.10
• If you use the Lightbox2 module for Drupal 5.x upgrade to Lightbox2 5.x-2.10

See also the Lightbox2 project page.

Reported by

• mr.baileys, of the Drupal Security Team
• Jakub Suchy (meba), of the Drupal Security Team
• Stella Power (stella), module maintainer
• hefox

Fixed by

• Stella Power (stella), module maintainer

Contact

The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.