lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 28 Feb 2010 01:37:26 +0000 From: Mori Sugimoto <foss@...sporan.net> To: full-disclosure@...ts.grok.org.uk Subject: Re: Drupal Help Injection Module XSS Vulnerability Correction: Drupal Security Team _only_ deals with vulnerability reports that are related to major releases or release candidates. Mori Sugimoto Drupal Security Team On 27/02/2010 23:49, Mori Sugimoto wrote: > This module is still in alpha and not considered suitable for any > production environment. Drupal Security Team does not deal with > vulnerability reports that are related to major releases or release > candidates. Instead we encourage reporters to contact the module > maintainers and fix any issue in the public issue queue. Please refer to > http://drupal.org/node/475848 for more detail. > > Mori Sugimoto > Drupal Security Team > > > > On 17/02/2010 16:29, Justin C. Klein Keane wrote: > >> The full text of this advisory can also be found at >> http://www.madirish.net/?article=448 >> >> Description of Vulnerability: >> ----------------------------- >> Drupal (http://drupal.org) is a robust content management system (CMS) >> written in PHP and MySQL that provides extensibility through hundreds of >> third party modules. The Advanced Help Injection and Export Module >> (http://drupal.org/project/helpinject) "assists you in writing help >> texts suitable for use with the Advanced Help module by allowing you to >> write your help texts in Drupal books." The module suffers from an >> arbitrary HTML injection vulnerability. >> >> Systems affected: >> ----------------- >> Drupal 6.15 using Advanced Help 6.x-1.2 and Help Inject 6.x-1.0-alpha6 >> was tested and shown to be vulnerable. The Advanced Help module is a >> dependency, but was not tested for vulnerability. >> >> Impact >> ------ >> Attackers can exploit this vulnerability to escalate privilege and take >> control of the web server process. >> >> Mitigating factors: >> ------------------- >> The Advanced Help and Help Inject modules must be installed and enabled. >> Attacker must have 'create book content' permissions in order to >> exploit this vulnerability. Only those with the 'inject help' >> permission are vulnerable, although this includes the site administrator. >> >> Proof of concept: >> ----------------- >> 1. Install Drupal 6.15. >> 2. Install Book, Advanced Help and Help Inject and enable all >> functionality through Administer -> Modules >> 3. Log in as uid 0 - the admin account >> 4. Create a book using 'Create content' -> 'Book page' >> 5. Fill in arbitrary values for the book title >> 6. Expand the 'Book outline' form and select '<create a new book>' from >> the 'Book:' select >> 7. Save the book using the 'Save' button >> 8. Log out and log in as a user with 'create book content' privilege >> 9. Click 'Create content' -> 'Book page' >> 10. Enter "<script>alert('xss');</script>" for the 'Title:' area >> 11. Expand the 'Book outline' fieldset >> 12. Select the book created in step 5 from the 'Book:' select item >> 13. Click the 'Save' button >> 14. Log out and log in as a user with privileges to 'inject help' >> 15. Click on any of the Help Inject icons (the little plus in a gray >> circle) >> 16. Click the 'Next' button on the 'path granularity' screen >> 17. Observe the JavaScript alert. >> >> > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists