=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2011/VULN042
_____________________________________________________________________

DATE                      : 20/01/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Janrain Engage versions 6.x.

======================================================================
http://drupal.org/node/1033154
______________________________________________________________________

SA-CONTRIB-2011-003 - Janrain Engage (RPX) - Multiple Vulnerabilities
Posted by Drupal Security Team on January 19, 2011 at 10:18pm

    * Advisory ID: DRUPAL-SA-CONTRIB-2011-003
    * Project: Janrain Engage (formerly RPX) (third-party module)
    * Version: 6.x
    * Date: 2011-January-19
    * Security risk: Less critical
    * Exploitable from: Remote
    * Vulnerability: Cross Site Scripting or Arbitrary Code Execution

Description

RPX (recently renamed Janrain Engage) is a service that acts as a
middleman between a site and external login providers like Facebook,
Yahoo, WindowsLive, etc. As part of this functionality it offers the
ability to take a user's avatar on these services and download it
for use as the user's profile photo. The module did not properly
validate this file prior to saving it in the site.

This could result in XSS or perhaps arbitrary code execution if
a malicious user is able to insert an arbitrary file instead of
the profile image.
Versions affected

    * Janrain Engage / RPX module 6.x-1.3 only

Drupal core is not affected. If you do not use the contributed
Janrain Engage / RPX module, there is nothing you need to do.


Solution

Install the latest version:

    * If you use the 6.x-1.3 version of the Janrain Engage / RPX module
upgrade to the 1.4 version

Reported by

    * Greg Dunlap (heyrocker)

Fixed by

    * Greg Dunlap (heyrocker)
    * George Katsitadze (geokat)
    * Nathan Rambeck (nrambeck)
    * Greg Knaddison (greggles)

Contact and More Information

The Drupal security team can be reached at security at drupal.org
or via the form at http://drupal.org/contact.

Learn more about the team and their policies, writing secure code
for Drupal, and secure configuration of your site.


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================