* Advisory ID: DRUPAL-SA-CONTRIB-2010-095
* Project: Lightbox2 (third-party module)
* Version: 5.x, 6.x
* Date: 2010-September-22
* Security risk: Highly Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass, Cross-Site Scripting

-------- DESCRIPTION
---------------------------------------------------------

The Lightbox2 module enables images to be overlaid on the current page using
JavaScript. The module displays images above the page instead of within it,
freeing the page design from layout constraints and keeping users on the same
page.

The module does not sanitize some of the user supplied data before displaying
it, leading to a Cross Site Scripting (XSS [1]) vulnerability which can be
used by a malicious user to gain full administrative access.

The Lightbox2 module also enables Embedded Media Field [2] and Acidfree [3]
videos to be displayed in a modal popup. In some cases checks on the user's
field level access to the source video were not carried out correctly,
allowing direct queries to the backend URL resulting in the display of videos
which the user would otherwise be unable to access.

-------- VERSIONS AFFECTED
---------------------------------------------------

* Lightbox2 module for Drupal 6.x versions prior to 6.x-1.10
* Lightbox2 module for Drupal 5.x versions prior to 5.x-2.10

Drupal core is not affected. If you do not use the contributed Lightbox2 [4]
module there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

* If you use the Lightbox2 module for Drupal 6.x upgrade to Lightbox2
6.x-1.10 [5]
* If you use the Lightbox2 module for Drupal 5.x upgrade to Lightbox2
5.x-2.10 [6]

See also the Lightbox2 project page [7].

-------- REPORTED BY
---------------------------------------------------------

* mr.baileys [8], of the Drupal Security Team
* Jakub Suchy (meba) [9], of the Drupal Security Team
* Stella Power (stella) [10], module maintainer
* hefox [11]

-------- FIXED BY
------------------------------------------------------------

* Stella Power (stella) [12], module maintainer