Security update

Fixes SA-CONTRIB-2014-089 - Geofield Yandex Maps - XSS via field description

Fixes SA-CONTRIB-2014-084 - Avatar Uploader - Information Disclosure

Fixes SA-CONTRIB-2014-084 - Avatar Uploader - Information Disclosure

Fixes access bypass XSS vulnerability

The 7.x version of the module does not adequately check that the favicon path provided by the theme is actually a favicon and should be readable by the site. This can allow an attacker to access arbitrary system files by specifying them as the sites's favicon file.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer theme".

Note that since this is a pre release version, no security advisory was issued by the Drupal security team.

Fixes HTTP header injection vulnerability

The 6.x versions prior to this release use a "Location: " header to redirect to the favicon path which is set in the admin settings for the theme. This uses the header() function from php rather than Drupal's header which is vulnerable to a header injection exploit.

These vulnerabilities are mitigated by the fact that an attacker must have a role with the permission "administer theme".

This is only a problem for web sites running PHP 5.1 and below which is unsupported so no security advisory has been published.

See SA-CONTRIB-2014-083

Changes since 7.x-1.0:

• Fixed confirm form question and description.
• Fixed double escaping of link title.