| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 02 Oct 2009 10:42:49 -0400
From: Justin Klein Keane <justin@...irish.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Drupal Service Links 6.x-1.0 XSS Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Description of Vulnerability:
- - - -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules. The Service links module
(http://drupal.org/project/service_links) "enables admins to add links
to a number of social bookmarking sites, blog search sites etc. "
The Service Links module contains a cross site scripting vulnerability
because it does not properly sanitize output of content type names
before display.
Systems affected:
- - - -----------------
Drupal 6.14 with Service links 6.x-1.0 was tested and shown to be
vulnerable.
Impact:
- - - -------
XSS vulnerabilities may expose site administrative accounts to
compromise which could lead to web server process compromise.
Mitigating factors:
- - - -------------------
The Service links module must be installed. To carry out a Service
links based XSS exploit the attacker must have 'administer content
types' permissions.
Proof of Concept:
- - ---------------------
1. Install Drupal 6.14
2. Install Service links 6.x-1.0
3. Enable the Service links module from Administer -> Site building ->
Modules
4. Create a new Content type from Administer -> Content management ->
Content types and click 'Add content type'
5. For the 'name' field enter "<script>alert('xss');</script>" and save
the content type
6. Click Administer -> Site configuration -> Service links to trigger
the JavaScript
Technical details:
- - ------------------------
The Service links module fails to sanitize the output of the content
type names before display. Applying the following patch fixes this
vulnerability.
Patch
- - -------
Applying the following patch mitigates these threats.
- --- service_links/service_links.module 2008-02-26 12:01:27.000000000 -0500
+++ service_links_fixed/service_links.module 2009-10-02
06:33:21.000000000 -0400
@@ -35,11 +35,12 @@ function service_links_admin_settings()
'#title' => t('Where to show the service links'),
'#description' => t('Set the node types and categories you want to
display links for.'),
);
+ $names = array_map('filter_xss', node_get_types('names'));
$form['where_to_show_the_links']['service_links_node_types'] = array(
'#type' => 'checkboxes',
'#title' => t('Node types'),
'#default_value' => variable_get('service_links_node_types', array()),
- - '#options' => node_get_types('names'),
+ '#options' => $names,
);
if (module_exists('taxonomy')) {
$form['where_to_show_the_links']['service_links_category_types'] =
array(
- --
Justin C. Klein Keane
http://www.MadIrish.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org
iPwEAQECAAYFAkrGEWkACgkQkSlsbLsN1gBl7wb+IW9Jk9N8ewZfa4mDxj8W1AVI
jG20xNmLhO9juy8SLe1VD6aAEB5vSDLGOQKB9bIZIuGHRbTwCh1CRYy3RldBCuMn
SKDtBHDpCSLRiy3QfUUeFud7z5GaLoPkJ8x9Esrs3bWtt2mM6AtFmCpuiGWffXWB
oBvlSpBF2QylQi8kZMqcjzQsuVEdJip/nMfbUWYrTWw4mGANXGIZiWG2ADeNKUAR
uI6caEFcLAcSiRP67k8PXyuMuMVY2RWVVmetemBmJKX5ToUNNSHC+Zhw8UUQ9A99
NzGOoXc2dSXhuR9GxJs=
=YUno
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists