lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 18 Aug 2009 09:58:58 -0400
From: Justin Klein Keane <justin@...irish.net>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Drupal flag module xss vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vulnerability Summary Report

Author: Justin C. Klein Keane <justin@...irish.net>
Disclosure URL:
http://lampsecurity.org/drupal-flag-module-vulnerability

Description of Vulnerability:
- - -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules.  The Flag module (http://drupal.org/project/flag)
"is a flexible flagging system that is completely customizable by the
administrator. Using this module, the site administrator can provide any
number of flags for nodes, comments, or users. Some possibilities
include bookmarks, marking important, friends, or flag as offensive.
With extensive views integration, you can create custom lists of popular
content or keep tabs on important content."

The Flag module contains a cross site scripting vulnerability because it
does not properly sanitize output of role names before display during
flag creation.

Systems affected:
- - -----------------
Drupal 6.13 with Flag 6.x-1.1 was tested and shown to be vulnerable.

Impact:
- - -------
XSS vulnerabilities may expose site administrative accounts to
compromise which could lead to web server process compromise.

Mitigating factors:
- - -------------------
The Flag module must be installed.  To carry out a role based XSS
exploit against the module the attacker must be able to inject malicious
role names which requires 'administer permissions' or write access to
the Drupal database.  Only users with permission to 'administer flags'
are affected by this vulnerability.

Proof of Concept:
- ---------------------
1.  Install Drupal 6.13
2.  Install Flag 6.x-1.1
3.  Enable the Flag and Flag actions modules from Administer -> Site
building -> Modules
4.  Click the Administer -> User Management -> Roles link
5.  Enter "<script>alert('xss');</script>" in the 'Name' textarea and
click the 'Add role' button
6.  (Note that this triggers a XSS, a vulnerability in 6.13 core)
7.  Click Administer -> Site Building -> Flags
8.  Click the 'Add' tab
9.  Fill in an arbitrary 'Flag name' and click the 'Submit' button
10.  Observe the JavaScript alert


Technical details:
- ------------------------
The Flag module fails to sanitize role names on line 708 of
flag.views.inc before display.

Vendor Response:
- -----------------
It is the position of Drupal security that "'administer permissions'
allows arbitrary permission escalation already, so [...] we do not
consider it a security vulnerability."

Patch
- -------
Applying the following patch mitigates these threats.

diff -up flag/flag.module flag_fixed/flag.module
- --- flag/flag.module    2009-03-14 02:13:54.000000000 -0400
+++ flag_fixed/flag.module      2009-08-18 09:23:37.404047187 -0400
@@ -702,10 +702,11 @@ function flag_form(&$form_state, $name,
     $form['roles']['#value'] = $flag->roles;
   }

+  $options = array_map('check_plain', node_get_types('names'));
   $form['types'] = array(
     '#type' => 'checkboxes',
     '#title' => t('What nodes this flag may be used on'),
- -    '#options' => node_get_types('names'),
+    '#options' => $options,
     '#default_value' => $flag->types,
     '#description' => t('Check any node types that this flag may be
used on. You must check at least one node type.'),
     '#required' => TRUE,

- --
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iQD1AwUBSoqzopEpbGy7DdYAAQJxDQb/eXDs65vUYUoBmK6dd+wueewHPfHIeAQ/
qe8g8IlrfYOFEHalkWmTSt9tLh6WLstjLXilXrSChWoBEfx3dL/qDkVsI++lFOsi
Z5X9WGhZEJUXw/NGA/ltmtxE0EsFuCHLvuUFyXvG2EdAR7UsRPpmkCAqYC4M16mz
C5EGdWwPrQCQjbViKX3jURHLwlaTMyckNE3yyMbcfM2CDuS1AZXUC/BwbMoKrCkH
Z6coe0gDbV6Y60FPv+PCj2R+CZKzmE0cODdU4iwXx1gxDcx9AxVedZxbKitEi3Hl
mHEMJ+w80GQ=
=M2Ce
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ