=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN366
_____________________________________________________________________

DATE                      : 19/09/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Mailsave for DRUPAL.

======================================================================
http://drupal.org/node/309802
______________________________________________________________________

SA-2008-051 - Mailsave - Cross site scripting

Heine - September 17, 2008 - 17:20

     * Advisory ID: DRUPAL-SA-2008-051
     * Project: Mailsave (third-party module)
     * Versions: 5.x and 6.x
     * Date: 2008-September-17
     * Security risk: Critical
     * Exploitable from: Remote
     * Vulnerability: Cross site scripting

Description

Mailsave is a module that is designed to interact with mailhandler. It
will detach files that are emailed to the site and save them with the
node.

The module trusts the mimetype that is send with the file enabling
malicious users with the ability to upload files to execute cross site
scripting attacks.


Versions Affected

     * Versions of Mailsave for Drupal 5.x prior to 5.x-3.3
     * Versions of Mailsave for Drupal 6.x prior to 6.x-1.3

Drupal core is not affected. If you do not use the Mailsave module,
there is nothing you need to do.


Solution

Install the latest version.

     * If you use Mailsave for Drupal 5.x upgrade to Mailsave 5.x-3.3
     * If you use Mailsave for Drupal 6.x upgrade to Mailsave 6.x-1.3

Also see the Mailsave project page.


Reported by

     * Mark Burdett (mfb)

Contact

The security contact for Drupal can be reached at security at drupal.org
or via the form at http://drupal.org/contact and by selecting the
security issues category.


======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================