* Advisory ID: DRUPAL-SA-CONTRIB-2010-061
* Project: AddonChat (third-party module)
* Version: 6.x-1.x
* Date: 2010-May-26
* Security risk: Highly Critical
* Exploitable from: Remote
* Vulnerability: Multiple (Privilege Escalation, Cross-site scripting)

DESCRIPTION

The AddonChat module provides Drupal integration with the AddonChat Java chat
room.

Due to unsafe handling of the global $user object, failed authentication at
the custom addonchat_auth.php script will log in an attacker as the chosen
user.

Additionally, several configuration variables are not escaped correctly,
leading to a cross-site scripting vulnerability. Users with "access
administration pages" permission could add arbitrary HTML and javascript to
pages.

VERSIONS AFFECTED

* AddonChat module for Drupal 6.x versions prior to 6.x-1.2

Drupal core is not affected. If you do not use the contributed AddonChat [1]
module, there is nothing you need to do.

SOLUTION

Install the latest version.

* If you use the AddonChat module for Drupal 6.x upgrade to AddonChat
6.x-1.2 [2]

REPORTED BY
* Jonathan Hedstrom [3]
* Dylan Tack [4] of the Drupal Security Team

FIXED BY

* Jonathan Hedstrom [5] and Chris Duerr [6], the module maintainer.