lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4A04975E.8000706@madirish.net>
Date: Fri, 08 May 2009 16:34:38 -0400
From: "Justin C. Klein Keane" <justin@...irish.net>
To: security@...pal.org, full-disclosure@...ts.grok.org.uk
Subject: Drupal 5.17 Taxonomy Module XSS Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Drupal 5.17 Taxonomy (Core) Module Contains XSS Vulnerability

May 7, 2009
Version tested: Drupal 5.17
http://lampsecurity.org/drupal-taxonomy-vulnerability

Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and supported by a MySQL database.  The power of Drupal
systems is extended by various modules.  Most modules are developed by
third parties, but there is a set of "core" modules that are provided as
part of a standard Drupal installation.

Drupal 5.17 Taxonomy module, which is part of the Drupal core and is
enabled by default upon installation, contains a cross site scripting
vulnerability that allows users with the 'administer taxonomy'
permission to inject arbitrary HTML in the help text of any Category
vocabulary.  This arbitrary HTML will be displayed when any user
attempts to create new content associated with the taxonomy.

Proof of concept:

1.  Log in to Drupal 5.17 as a user with administer taxonomy permissions
2.  Create a new content category using Administer -> Categories -> Add
Vocabulary
3.  Enter arbitrary <script>alert('xss');</script> in the 'Help text:'
field, check the 'Page' and 'Story' checkboxes under 'Types' and fill
out arbitrary values for other fields.
4.  Click 'Submit'
5.  Create new content by clicking the 'Create content' link and then
click either 'Page' or 'Story'
6.  A JavaScript alert will appear

This vulnerability is especially dangerous as it targets content
creators, who are likely to have elevated privileges in Drupal.  Extreme
care should be given to those users granted the 'administer taxonomy'
privilege until a fix is available.

- --
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQD1AwUBSgSXXpEpbGy7DdYAAQIUJQcAl+IR5MY2TPKuYv/nS7N243vh/HXgB7LT
joJzUQaCeTTDvwPwYe3WLY3sC7eQF9TtXik2kRN6h+QcdEcNdy0akcYIMOpNOM2y
X5lHRuHoVJFzp3nAohKXFrxpeNmE2cuNn/VRtVtFfUB33bEjSDEpSMa4OiO5Wq1O
mNY3tWFrEPUDb4b5ouNTyhARcBfmU3c2rqzgdf5rPrioqmlPnA6eXGQ/hr2kKZ7i
e7KDrua9EHm4U7ycpK9PAl/JRgh49U1Nl/MzXv5pT/iJ6SbR8tvc9/hOErc5sSur
m0qhSFm7mQ4=
=AHcD
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ