lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 09 Oct 2009 15:20:35 -0400
From: Justin Klein Keane <justin@...irish.net>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Drupal 5.20 and 6.14 Filter Module (Core) XSS
	Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The full text of this advisory is also posted at
http://www.madirish.net/?article=431

Description of Vulnerability:
- - - -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules.  Drupal 5.20 and Drupal 6.14 contain several core
modules that enable basic functionality, including the filter module.

The filter module in Drupal 5.20 and 6.14 contains a cross site
scripting (XSS) vulnerability because it does not properly sanitize the
'Site name' variable before display.

Systems affected:
- - - -----------------
Drupal 5.20 and Drupal 6.14 were tested and shown to be vulnerable.

Impact:
- - - -------
XSS vulnerabilities may expose site administrative accounts to
compromise which could lead to web server process compromise.

Mitigating factors:
- - - -------------------
To carry out a filter based XSS exploit the attacker must have
'administer site configuration' permissions.

Proof of Concept 1:
- - ---------------------
1.  Install Drupal
2.  Install Wikitools
3.  Change the site name from Administer -> Site configuration -> Site
information
4.  Enter "<script>alert('xss');</script>" for the 'Name' and click
'Save configuration'
5.  View the new content creation form by clicking Create content -> Page
6.  Click the 'Input format' link to expand that area of the form
7.  Click the 'More information about formatting options' link (or
browse to the '?q=filter/tips' URL)
8.  Observe the rendered Javascript

Patch for Drupal 6
- ------------------
Applying the following patch mitigates these threats in Drupal 6.14.

- --- filter/filter.module   2009-10-09 15:06:20.326103353 -0400
+++ filter/filter.module        2009-10-09 15:09:21.611265554 -0400
@@ -188,7 +188,7 @@ function filter_filter_tips($delta, $for
 <p>This site allows HTML content. While learning all of HTML may feel
intimidating, learning how to use a very small number of the most basic
HTML "tags" is very easy. This table provides examples for each tag that
is enabled on this site.</p>
 <p>For more information see W3C\'s <a
href="http://www.w3.org/TR/html/">HTML Specifications</a> or use your
favorite search engine to find other sites that explain HTML.</p>');
               $tips = array(
- -                'a' => array( t('Anchors are used to make links to
other pages.'), '<a href="'. $base_url .'">'. variable_get('site_name',
'Drupal') .'</a>'),
+                'a' => array( t('Anchors are used to make links to
other pages.'), '<a href="'. $base_url .'">'.
filter_xss(variable_get('site_name', 'Drupal')) .'</a>'),
                 'br' => array( t('By default line break tags are
automatically added, so use this tag to add additional ones. Use of this
tag is different because it is not used with an open/close pair like all
the others. Use the extra " /" inside the tag to maintain XHTML 1.0
compatibility'), t('Text with <br />line break')),
                 'p' => array( t('By default paragraph tags are
automatically added, so use this tag to add additional ones.'), '<p>'.
t('Paragraph one.') .'</p> <p>'. t('Paragraph two.') .'</p>'),
                 'strong' => array( t('Strong'), '<strong>'. t('Strong')
.'</strong>'),

Patch for Drupal 5
- ------------------
Applying the following patch mitigates these threats in Drupal 5.20.

- --- filter/filter.module   2009-10-09 15:12:28.781103173 -0400
+++ filter/filter.module        2009-10-09 15:12:37.655254084 -0400
@@ -170,7 +170,7 @@ function filter_filter_tips($delta, $for
 <p>This site allows HTML content. While learning all of HTML may feel
intimidating, learning how to use a very small number of the most basic
HTML "tags" is very easy. This table provides examples for each tag that
is enabled on this site.</p>
 <p>For more information see W3C\'s <a
href="http://www.w3.org/TR/html/">HTML Specifications</a> or use your
favorite search engine to find other sites that explain HTML.</p>');
               $tips = array(
- -                'a' => array( t('Anchors are used to make links to
other pages.'), '<a href="'. $base_url .'">'. variable_get('site_name',
'Drupal') .'</a>'),
+                'a' => array( t('Anchors are used to make links to
other pages.'), '<a href="'. $base_url .'">'.
filter_xss(variable_get('site_name', 'Drupal')) .'</a>'),
                 'br' => array( t('By default line break tags are
automatically added, so use this tag to add additional ones. Use of this
tag is different because it is not used with an open/close pair like all
the others. Use the extra " /" inside the tag to maintain XHTML 1.0
compatibility'), t('Text with <br />line break')),
                 'p' => array( t('By default paragraph tags are
automatically added, so use this tag to add additional ones.'), '<p>'.
t('Paragraph one.') .'</p> <p>'. t('Paragraph two.') .'</p>'),
                 'strong' => array( t('Strong'), '<strong>'.
t('Strong'). '</strong>'),

Vendor Response
- ----------------
According to Vendor website this vulnerability requires "advanced
permissions" and will not be addressed (ref http://drupal.org/node/475848).



- --
Justin C. Klein Keane
http://www.MadIrish.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iQD1AwUBSs+NA5EpbGy7DdYAAQJNHwb/SEhOQ48jxDPv0xvt42BYRPYcVyXeAXQT
zLv6MIXh9ufkAfOPYfFcPLa85H0QKavD9KhKqO5+6xLCAoaXsFkt28r7aik7uHSb
kmeTFZ6wIAfCdTG86q7IsumWng0ViAMTjbLK/2Q5m8d7B2rJaZmMyxHY1yWIkaFy
4F4rJq9Ij4apTrQhFe3jK3jNFHNa+qaR5LSiWG5Ss9/6jxzMuAZBjQcCQyerDe/C
ZyvWs27F7lylCP+2R/p8qkJ0W+2aKJuZ/Nl0Lk8BDLXZ1Fa5OBZPz4Ihjw78ZHP4
HoryXpk2v0k=
=D+O+
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ