[<prev] [next>] [day] [month] [year] [list]
Message-ID: <49A811B4.8050601@madirish.net>
Date: Fri, 27 Feb 2009 11:15:48 -0500
From: "Justin C. Klein Keane" <justin@...irish.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Drupal Protected Node Module XSS Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Version Tested: 5.x-1.3 on Drupal 5.15
The Drupal Protected Node module
(http://drupal.org/project/protected_node) is designed to restrict
access to nodes using passwords. When nodes are created they can be
protected by selecting 'protected node' and specifying a password.
Users attempting to access the node must then enter a password in order
to access the node. Details of this vulnerability can also be found at
http://lampsecurity.org/node/28.
The Protected Node module fails to properly sanitize user input
specified in the 'Password page info' input specified in Administer ->
Site Configuration -> Protected Node. Users with the 'administer site
configuration' permission can access this page.
Steps to reproduce the exploit:
1. Enable the Protected Node module
2. Set permissions (Administer -> User Management) so anonymous users
can access protected content in the protected_node module section
3. Click Administer -> Site Configuration -> Protected node
4. Enter the value <script>alert('xss');</script> into the 'Password
page info' textarea
5. Create a new piece of content
6. In the 'Protected node' section on the content creation screen check
the 'Node is protected' checkbox and enter a password.
7. Save the content.
8. Log out and view the content to trigger the JavaScript
Technical details:
This vulnerability is introduced by a failure to sanitize user input as
it is being displayed in the protected_node_enterpassword() funciton in
protected_node.module. Lines 272-274 prints out the user supplied text
using the statement:
$form['protected_node'] = array(
'#value' => $info
);
The $info variable should be sainitized using check_plain() or similar
function in order to prevent the XSS vulnerability.
Drupal security (http://drupal.org/security) team and module maintainer
have been notified.
- --
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQD1AwUBSagRtJEpbGy7DdYAAQJuYwcAjhDPxL2rYb9epxZ5J55kslSVYC0tMxaR
89AtwVC7NqXZ6fn9XH1vn71jw1qCNp6xnyNUgmlZDFmKs11Q3iTHgS5O2pWOiu8E
SUwPqguqRlx6QgQRtsJaKnS0zAFHWWc2i/jZWeHwkucf3LgJkYcEC4T/p8rRDjp3
wM0KdJnhbqC4/D8jSPAD3Ila8CRci9uoWwyGM6O4YtNQ/sxjtSHVC2ngmG3q2jTc
JRZtMsmiAgyj4CxCY3cbcAEFTDowredqt0283Y8s+qOxKwXlDZMeoKpRfyGK2FO2
IPLhieMuPdc=
=xS7G
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists