=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN088
_____________________________________________________________________

DATE                      : 13/03/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Ubercart for Drupal 5.x
                                          prior to 5.x-1.0-beta7.

======================================================================

- ------------SA-2008-020 - UBERCART - CROSS SITE SCRIPTING------------

   * Advisory ID: DRUPAL-SA-2008-020

   * Project: Ubercart (third-party module)

   * Version: 5.x

   * Date: 2008-March-12

   * Security risk: Less critical

   * Exploitable from: Remote

   * Vulnerability: Cross site scripting

- ------------DESCRIPTION------------

The attribute module allows customers to enter a text value as an 
attribute for
a product, like a name to stitch into a hat.  However, when these text 
values
were displayed in the shopping cart or on order pages, there was a 
possibility
for a malicious user to perform a cross site scripting attack.

All users are encouraged to update to the latest version, but this notice
specifically applies to users who have installed the core attribute 
module and
allow customers to enter custom text for attributes on products in their 
stores.

- ------------VERSIONS AFFECTED------------

   * Ubercart for Drupal 5.x prior to 5.x-1.0-beta7

Drupal core is not affected. If you do not use the contributed Ubercart 
module,
there is nothing you need to do.

- ------------SOLUTION------------

Install the latest version:

   * If you use Drupal 5.x install Ubercart 5.x-1.0-beta7 [
http://drupal.org/node/232545 ].

See also the Ubercart project page [ http://drupal.org/project/ubercart ].

- ------------REPORTED BY------------

j_ten_man [ http://www.ubercart.org/user/1652 ] reported an issue in the
Ubercart forums related to this problem that an Ubercart developer was 
able to
diagnose and fix immediately.

- ------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org 
or via
the form at [ http://drupal.org/contact ].

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================