lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 09 Oct 2009 15:42:54 -0400 From: Justin Klein Keane <justin@...irish.net> To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk> Subject: Drupal Wikitools 6.x-1.2 and 5.x-1.3 XSS Vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Full details of this report are also posted at http://www.madirish.net/?article=430 Description of Vulnerability: - - - - ----------------------------- Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Wikitools module (http://drupal.org/project/wikitools) "provides some settings to get a more wiki-like behavior. It aims to be lightweight; all features are optional, and it provides no database tables of its own." The Wikitools module contains a cross site scripting vulnerability because it does not properly sanitize output of content types before display. Systems affected: - - - - ----------------- Wikitools 6.x-1.2 and 5.x-1.3 were tested and shown to be vulnerable. Impact: - - - - ------- XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise. Mitigating factors: - - - - ------------------- The Wikitools module must be installed. To carry out a Site map based XSS exploit the attacker must have 'administer content type' permissions. Proof of Concept: - - - --------------------- 1. Install Drupal 2. Install Wikitools 3. Create a new content type from Administer -> Content management -> Content types -> Add content type 4. Enter "<script>alert('xss');</script>" for the content type name and save the new content type 5. Enable the Wikitools module from Administer -> Site Building -> Modules 6. Click on Administer -> Site configuration -> Wikitools to observe the JavaScript Technical details: - - - ------------------------ The Wikitools module fails to sanitize the output of content type names before display, leading to an arbitrary HTML injection vulnerability. Patch for wikitools 5.x-1.3 - - --------------------------- Applying the following patch mitigates these threats in Wikitools 5.x-1.3. - - --- wikitools/wikitools.module 2009-03-25 15:15:47.000000000 -0400 +++ wikitools.fixed/wikitools.module 2009-10-09 12:04:03.055556867 -0400 @@ -132,7 +132,7 @@ function wikitools_admin_settings() { $form['wikitools_node_types'] = array( '#type' => 'checkboxes', '#title' => t('Wiki node types'), - - - '#options' => node_get_types('names'), + '#options' => array_map('filter_xss', node_get_types('names')), '#size' => count(node_get_types('names')), '#default_value' => wikitools_node_types(), '#multiple' => TRUE, Patch for wikitools 6.x-1.2 - - --------------------------- Applying the following patch mitigates these threats in Wikitools 6.x-1.2. - - --- wikitools/wikitools.admin.inc 2009-06-17 23:57:33.000000000 - -0400 +++ wikitools/wikitools.admin.inc 2009-10-09 14:38:06.020099834 -0400 @@ -37,7 +37,7 @@ function wikitools_admin_settings() { $form['wikitools_node_types'] = array( '#type' => 'checkboxes', '#title' => t('Wiki node types'), - - - '#options' => node_get_types('names'), + '#options' => array_map('filter_xss', node_get_types('names')), '#default_value' => wikitools_node_types(), '#multiple' => TRUE, '#description' => t('Select the node types which will be affected by the specified options. If you select multiple node types, all nodes of these types will be searched for when a wikipath is entered. If a wikipage doesn\'t exist, an option to create any of these types will be given.'), Vendor Response - - --------------- In the past the vendor has responded that vulnerabilities requiring 'administer content types' privileges have already been addressed by SA-CORE-2009-002 (http://drupal.org/node/372836) and thus are not classified as security vulnerabilities, but rather as bugs. - -- Justin C. Klein Keane http://www.MadIrish.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iQD1AwUBSs+SPpEpbGy7DdYAAQIBLAcAlXKFu+tQfvEGp3D4SZ+ABLyEMon0xweC ++PCNDYT1zY3/v3A/nCekV0ebTgwwP/AXjjtJULD7TlbqI1nWxIUBDn2a4CM9TWs u8rUsFoySv5oq2g00c6uREF/8M8xdicSD5YL71C1/34iDjaltUci4OyxejHW1w/7 Nfk2dMLl1odnybgBBCZkgT1Kf1fa8wq+2CVkKkgcQGVKCcgawF0R36A6uQlwB3Bc a7lvDdF2sBIlzskiNYitmbGMYHQUMGnQH6B1eoxajcKkGPi4CGSTaMd4UVAL/u4m 37BItJX+Wng= =bsff -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists