| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 Aug 2012 14:49:51 -0400
From: "Justin C. Klein Keane" <justin@...irish.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [Security-news] SA-CONTRIB-2012-126 -
Hotblocks - Cross Site Scripting (XSS) and Denial of Service (DoS)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
For the curious:
XSS Exploit:
- ---------------
1. Install and enable the HotBlocks module
2. Navigate the Hotblocks setting page at ?q=admin/settings/hotblocks
3. Change Block #1 Name to "<script>alert('xss');</script>"
4. View the rendered Javascript at ?q=admin/content/hotblocks
Denial of Service Exploit:
- --------------------------------
1. Install and enable the HotBlocks module
2. Navigate the Hotblocks setting page at ?q=admin/settings/hotblocks
3. Change Block #1 Name to "<script>alert('xss');</script>"
4. Change "Term for hotblocks item:" to "hotblock item
<script>alert('hotblock term');</script>"
5. Change "Term for hotblocks items:" to "hotblock item
<script>alert('hotblock terms');</script>"
6. Save configuration
7. Go to Block admin at ?q=admin/build/block
8. Drag the Block #1 to the left sidebar and 'Save'
9. Return to the home page.
9. Click the 'Put a hotblock here' icon in the left sidebar and click
the malicious name. This points to a link such as
hotblocks/assign/11/1?destination=node&path=node&systemtype=block&token=343d600c37a2ed557df7cd22a0010352
10. Refresh the page - WSOD, error logs indicate something like:
[Mon Aug 06 15:42:37 2012] [notice] child pid 4559 exit signal
Segmentation fault (11)
or
[Mon Aug 06 15:22:29 2012] [error] [client 10.10.0.1] PHP Fatal error:
Maximum execution time of 30 seconds exceeded in
/var/www/html/drupal-6.26/includes/bootstrap.inc on line 860, referer:
http://10.10.0.101/drupal/
Justin C. Klein Keane
http://www.MadIrish.net
The PGP signature on this email can be verified using the public key at
http://www.madirish.net/gpgkey
On 08/15/2012 02:19 PM, security-news@...pal.org wrote:
> View online: http://drupal.org/node/1732946
>
> * Advisory ID: DRUPAL-SA-CONTRIB-2012-126 * Project: HotBlocks [1]
> (third-party module) * Version: 6.x * Date: 2012-August-15 *
> Security risk: Moderately critical [2] * Exploitable from: Remote *
> Vulnerability: Cross Site Scripting, Multiple vulnerabilities
>
> -------- DESCRIPTION
> ---------------------------------------------------------
>
> The Hotblocks module provides an enhanced GUI for administering
> blocks and block content that is intended to be simpler and more
> controllable for less privileged users than the default block
> administration tools.
>
> .... Cross Site Scripting (XSS)
>
> The module doesn't sufficiently sanitize the user input for "block
> names" on the module's settings page. A user could inject arbitrary
> scripts into pages affecting site users.
>
> This XSS vulnerability is mitigated by the fact that an attacker
> must have a role with the permission "administer hotblocks".
>
> .... Denial of Service (DoS)
>
> The hotblocks user interface also allows a user to configure one
> hotblock to reference itself as content, thereby creating an
> infinite loop and potentially rendering a site unusable.
>
> The DoS vulnerability is mitigated by the fact that a user must
> have a role with the permission "administer hotblocks" or a user
> with said permission must have configured the site such that it
> allows hotblocks to be embedded in other hotblocks.
>
> CVE: Requested
>
> -------- VERSIONS AFFECTED
> ---------------------------------------------------
>
> * Hotblocks 6.x-1.x versions prior to 6.x-1.8.
>
> Drupal core is not affected. If you do not use the contributed
> HotBlocks [3] module, there is nothing you need to do.
>
> -------- SOLUTION
> ------------------------------------------------------------
>
> Install the latest version:
>
> * If you use the Hotblocks module for Drupal 6.x, upgrade to
> Hotblocks 6.x-1.8 [4]
>
> Also see the HotBlocks [5] project page.
>
> -------- REPORTED BY
> ---------------------------------------------------------
>
> * Justin C. Klein Keane [6]
>
> -------- FIXED BY
> ------------------------------------------------------------
>
> * Justin Dodge [7] the module maintainer
>
> -------- COORDINATED BY
> ------------------------------------------------------
>
> * Greg Knaddison [8] of the Drupal Security Team
>
> -------- CONTACT AND MORE INFORMATION
> ----------------------------------------
>
> The Drupal security team can be reached at security at drupal.org
> or via the contact form at http://drupal.org/contact [9].
>
> Learn more about the Drupal Security team and their policies [10],
> writing secure code for Drupal [11], and securing your site [12].
>
>
> [1] http://drupal.org/project/hotblocks [2]
> http://drupal.org/security-team/risk-levels [3]
> http://drupal.org/project/hotblocks [4]
> http://drupal.org/node/1732828 [5]
> http://drupal.org/project/hotblocks [6]
> http://drupal.org/user/302225 [7] http://drupal.org/user/238638 [8]
> http://drupal.org/user/36762 [9] http://drupal.org/contact [10]
> http://drupal.org/security-team [11]
> http://drupal.org/writing-secure-code [12]
> http://drupal.org/security/secure-configuration
>
> _______________________________________________ Security-news
> mailing list Security-news@...pal.org Unsubscribe at
> http://lists.drupal.org/mailman/listinfo/security-news
>
> _______________________________________________ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iPwEAQECAAYFAlAr708ACgkQkSlsbLsN1gCDJQb/XAYzsmAgbD/Sd6yAIuNXRTbJ
F6CW8laAHOKuZjUQdhBUJuOaXSMIqXEut9xerPzlEfXX0WWo5nyMIdsjezP+CUck
l+IzYVuRiLHDR2Ra5GSzHuOB+h7VjSJkynEThZBDFRyLBYtSvNDZ/QATn5Orhp/2
oCcx5443PECvkdzUsGTzCPBQiucIPFuzQTYggsd23Zf70Nqkq/VMW4xA+rVHOFLS
f61DH1feqhYNUW3GG7lhuqUX9vAHLjFQlgGWt8gD2o7tZ6wMFrtKsSouYsDavwAm
KamG8mEM+2+IdhDacqE=
=ubeS
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists