lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 10 Jun 2009 18:34:43 -0400 From: Justin Klein Keane <justin@...irish.net> To: full-disclosure@...ts.grok.org.uk Subject: Drupal 6 Views Module XSS Vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Author: Justin C. Klein Keane <justin@...irish.net> Vendor Response: See below Details of this vulnerability are also posted at the public URL http://lampsecurity.org/drupal-views-xss-vulnerability Description of Vulnerability: - ----------------------------- Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through hundreds of third party modules. The Drupal Views module (http://drupal.org/project/views) allows administrators to control lists and presentation of content. This frees maintainers from restrictions imposed by taxonomy and allows administrators to build smart queries for gathering result sets to display. The Views module contains a cross site scripting (XSS) vulnerability that allows authenticated users with 'administer views' privileges to inject arbitrary HTML into certain fields when defining custom views. Systems affected: - ----------------- Drupal 6.12 with Views 6.x-2.5 was tested and shown to be vulnerable Mitigating factors: - ------------------- Attacker must have 'administer views' permissions in order to exploit this vulnerability. Proof of concept: - ----------------- 1. Install Drupal 6.12. 2. Install Views and enable all Views functionality through Administer - -> Modules 3. Click Administer -> Site Building -> Views 4. Click 'Add' to create a new View 5. Fill in arbitrary values for name, description, and tag 6. Select 'node' for 'View type' 7. In 'Basic settings' click 'Defaults' next to 'Name' 8. Enter "<script>alert('name');</script>" in "The name of this display" textbox 9. Click "update" to view JavaScript alerts Vendor Response - --------------- Upgrade to the latest version of Views. http://drupal.org/node/488068 - -- Justin C. Klein Keane http://www.MadIrish.net http://LAMPSecurity.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org iPwEAQECAAYFAkowNQMACgkQkSlsbLsN1gDSdgb+Ob+cgT4JtVi8rrF3hXbwyeYI uxNxGYDh4An6LY3nnc8PMNfUvMXbX1BG63TUYQkXM5DNxlprnNN+FZXDCcD62FZo NjHthS/WiVNTYrRlKjByRdXeEtVx2gqqwrzVQhrQ7TiixPmIidQW1fggr+wt/MDS XyNEh5/8tRCzan1Bn+bdXzfJXnkhycUPP1rJnAxUnV4FZbp7j7GmEd0AOBFfy+eY BTstq3zqRtl0ZF2Ci1RJMJZw9YCH1zx/8n2WaGMm/8q4U6fiHjpoY1eGj59TQVqc o39FPgH9Uxz2J1ofJUY= =TbdX -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists