| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 27 Apr 2010 20:09:42 +0300 From: Henri Salo <henri@...v.fi> To: full-disclosure@...ts.grok.org.uk Subject: Re: XSS in Drupal Better Formats Module On Tue, 27 Apr 2010 12:07:17 -0400 "Justin C. Klein Keane" <justin@...irish.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Description of Vulnerability: > - ----------------------------- > Drupal (http://drupal.org) is a robust content management system (CMS) > written in PHP and MySQL. The Drupal Better Formats module > (http://drupal.org/project/better_formats) contains a cross site > scripting (XSS) vulnerability due to the fact that it fails to > sanitize format names before display. > > Systems affected: > - ----------------- > Drupal 6.16 with Better Formats 6.x-1.2 was tested and shown to be > vulnerable > > Impact > - ------ > User could inject arbitrary scripts into pages affecting site users. > This could result in administrative account compromise leading to web > server process compromise. > > Mitigating factors: > - ------------------- > In order to execute arbitrary script injection malicious users must > have 'Administer filters' permission. The Drupal security team has > classified vulnerabilities that require this permission > (http://drupal.org/node/475848) as "display bugs" because access to > this permission allows for alteration of input specifications that > could allow users with permissions to create content to craft > arbitrary PHP. However, in a situation where a user had "administer > filters" permission but could not create content this vulnerability > could be used to attack other Drupal users. > > Patch: > - ------------------------------------------ > Applying the following patch mitigates this issue in version 6.x-1.2. > > - --- better_formats/better_formats.module 2010-02-05 > 08:59:18.000000000 -0500 > +++ better_formats/better_formats.module 2010-04-27 > 11:35:53.444189426 -0400 @@ -537,7 +537,7 @@ function > better_formats_filter_form($val > > $form = array( > '#type' => 'fieldset', > - - '#title' => $fieldset_title, > + '#title' => check_plain($fieldset_title), > '#collapsible' => $collapsible, > '#collapsed' => $collapsed, > '#weight' => $weight, > @@ -551,7 +551,7 @@ function better_formats_filter_form($val > $parents_for_id = array_merge($parents, > array($format->format)); $form[$format->format] = array( > '#type' => 'radio', > - - '#title' => $format->name, > + '#title' => check_plain($format->name), > '#default_value' => $default, > '#return_value' => $format->format, > '#parents' => $parents, > > - -- > Justin C. Klein Keane > http://www.MadIrish.net > > The digital signature on this message can be confirmed > using the public key at http://www.madirish.net/gpgkey > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iPsEAQECAAYFAkvXC7UACgkQkSlsbLsN1gAYFQb4mjTDJY/6KP2JQIv0pK9H/20s > g/+dwvKFc78AQMMKqDzi3rfqF4L+RzE6bHPsKHmN7yWIxIGMccbL13rOAvarEzgZ > jYyfC24Lbhla38p4JkwWltxPNgsH10wXLGdv+BsiFp8oZUpuAQez0N0SNxhr1mX5 > rzZ0fgBEQm7WMmgH9qyLdso1erEQ5sLgPmED5dsaYK2Z2QHBgN19Ed0P1iEZpTdy > anFseTfo00Uts6zOd3loQ/ZeaAOAnYFZwunOtHVurFPyWpAaM1DGVAOHHWtR265d > jQMygOdRmQ5qtV/HpA== > =z0IC > -----END PGP SIGNATURE----- Have you requested CVE-identifier for this vulnerability? --- Henri Salo _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists