| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 1 Feb 2010 11:59:59 -0500 From: Martin Barbella <martybarbella@...il.com> To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk Subject: XSS vulnerability in Drupal's MP3 Player contributed module (version 6.x-1.0-beta1) XSS vulnerability in Drupal's MP3 Player contributed module (version 6.x-1.0-beta1) Discovered by Martin Barbella <martybarbella@...il.com> Description of Vulnerability: ----------------------------- Drupal is a free software package that allows an individual or a community of users to easily publish, manage and organize a wide variety of content on a website. (From: http://drupal.org/about) The MP3 Player module allows users to use the WordPress Audio Player in Drupal. The name of the mp3 file is not properly sanitized when the javascript to create the audio player is generated, resulting in a cross site scripting vulnerability. The module also fails to sanitize various inputs on the MP3 player administration page. In the cases where the user is prompted for 6 digit hex values to use as colors for the player, it will only check that the value is 6 characters long, and will not verify that it is hexadecimal, but as this is both difficult to exploit, and requires that the user can administer the MP3 player module, the rest of this report will only focus on the previous vulnerability. Systems affected: ----------------- This has been confirmed in MP3 Player 6.x-1.0-beta1. Other versions may also be affected. Impact: ------- Stored attacks are those where the injected code is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. (From OWASP: http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29) Mitigating factors: ------------------- A user must have permission to create nodes of a type that use the audio player. Proof of concept: ----------------- 1. Install the MP3 Player module and its dependencies. 2. Create a new content type with a file field that accepts mp3s. 3. Make sure that MP3 Player will be used with the field that you have created. 4. Create a file named "+alert(document.cookie)+".mp3 5. Create a node with the new content type, and upload this file. 6. Note that an alert box will be displayed when viewing this node. Timeline: --------- 2010-01-14 - Drupal Security notified 2010-02-01 - Still no response from Drupal Security 2010-02-01 - Public disclosure _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists