| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 04 Aug 2014 14:54:47 -0400
From: Ubani Balogun <ubani@....upenn.edu>
To: fulldisclosure@...lists.org
Subject: [FD] Superfish 7.x Minor Cross Site Scripting Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Superfish 7.x-1.9 Cross Site Scripting Vulnerability
====================================================
Author: Ubani A Balogun <ubani@....upenn.edu>
Reported: June 25, 2014
Product Description:
- --------------------
Superfish integrates jQuery Superfish plugin with your Drupal menus.
Description of Vulnerability:
- -----------------------------
Superfish suffers from a minor Cross Site Scripting vulnerability due
to its failure to sanitize error messages before displaying them using
the Drupal form_set_error function on the module configuration page.
System impacted:
- ----------------
Superfish 7.x-1.9 was tested on Drupal 7.28 using the Mozilla Firefox
29.0 browser and found to be vulnerable.
Impact:
- -------
Users with the permission to administer the superfish module can
inject arbitrary script via the module configuration form that
executes if form validation fails.
Mitigating Factors:
- -------------------
A malicious user must have permissions to administer the superfish
module in order to inject and execute arbitrary script. The
vulnerability is further mitigated by the fact that the injected
script is not persistent, thus reducing the impact of the vulnerability.
Proof of Concept:
- -----------------
1. Install and enable Superfish 7.x-1.9 on Drupal 7.28
2. Navigate to the superfish administration page at
?q=admin/config/user-interface/superfish.
3. Replace the contents of the text area "Path to Superfish library"
with: "<script>alert('XSS')</script>" (excluding quotes)
4. Click save configuration. Form validation fails, but a javascript
alert box with text "XSS" pops up
Patch:
- ------
The following patch mitigates the vulnerability
- --- superfish.admin.inc 2014-06-25 13:23:30.274737050 -0400
+++ superfish.admin_xssfixed.inc 2014-06-25 13:26:59.542740204 -0400
@@ -107,7 +107,7 @@ function superfish_admin_settings_valida
else {
$error_message = t('File not found') . ': ' . $error[0];
}
- - form_set_error('superfish_slp', $error_message);
+ form_set_error('superfish_slp', check_plain($error_message));
}
}
}
Vendor Response:
- ----------------
The Drupal security team has acknowledged the existence of the
vulnerability and will be addressing the issue publicly. Due to the
low exploitability of the vulnerability, a patch will be released at
the module maintainer's earliest convenience.
- --
Ubani Anthony Balogun
Information Security and Unix Services
University of Pennsylvania
School of Arts and Sciences
3600 Market St.
Suite 501
Philadelphia, PA 19104
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJT39byAAoJEKwVbF01qrx/ARkIALJ47sXGIIWhrFB5SjZ8M6z6
JPDmHkxwcbYrmnrbRJ4EMcqWzjMXfW16ab+UYAhBGqtRnT3SMwKFiyjsleM6L80+
Z6Jm1Oc3DkZyM/bba20en0+HPSKxmZGpgFCYPUpwaSF29VePVf66pvYxrktXnpFI
dcwUFsPORYOSVaWhRnTGfWuu+hnl24ZYORqSvD/frLnZRAh0ZiRR7cJ07KWDOLRY
C1NdvSaW2VK3WQMARy9Jnjzo8Ea1Df/AQY2QHu1H3SHjvEn5lqrXL967uWUsmNmv
UKArb/xZlePn0mlPg+RtW/qNrJgniSZvDVMJXfyjuGDdQgOoQ4qWSBuHwaujogE=
=+UCp
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists