lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4A1C5747.2000807@madirish.net>
Date: Tue, 26 May 2009 16:55:35 -0400
From: Justin Klein Keane <justin@...irish.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Drupal 6 Content Access Module XSS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Details of this disclosure have been posted at
http://lampsecurity.org/drupal_6_content_access_xss

Vendor Notified: 05/19/2009

Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through hundreds of
third party modules. The Content Access Module
(http://drupal.org/project/content_access) suffers from a cross site
scripting vulnerability because it does not sanitize role names before
displaying them on the 'Access Control' screen of managed content types.
This vulnerability is exacerbated by the fact that Drupal 6.12 core does
not perform input validation on role names as they are being created.
This can lead to a situation where users administering role based access
controls of content types could be exposed to malicious HTML content.

Systems affected:
- -----------------
Drupal 6.12 with Content Access 6.x-1.1 was tested and shown to be
vulnerable

Impact
- ------
Authenticated users could be exposed to XSS attacks when administering
content access. Users with this responsibility are generally site
administrators. Cross site scripting attacks against administrators
could lead to full web server process compromise.

Mitigating factors:
- -------------------
In order to carry out the exploit described below the attacker must be
able to inject malicious content into role names, which is possible for
authenticated users with the 'administer permissions' permission. Other
attack vectors may exist that do not require these restricted permissions.

Proof of concept:
- -----------------
1. Install Drupal 6.12 and Content Access 6.x-1.1
2. Click Administer -> User management -> Roles
3. Enter "<script>alert('xss');</script>" in the "Name" textarea
4. Click the "Add Role" button
5. Observe JavaScript alert
6. Click on Administer -> Content Types
7. Click on 'edit' next to any content type
8. Click on 'Access control' link
9. Observe the JavaScript alert multiple times

Vendor Response
- ---------------
Drupal security was notified of this vulnerability on 5/19/2009. Vendor
has declined to issue an official security announcement due to the
restricted access rights required to carry out the proof of concept
exploit. Vendor has filed a bug with the module maintainer at
http://drupal.org/node/472494.

- --

Justin C. Klein Keane
http://www.MadIrish.net
http://LAMPSecurity.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org

iPwEAQECAAYFAkocV0YACgkQkSlsbLsN1gAQuQb9EYSb+J7eDst+jK/zAEmhqtqY
plXxiotJUtNKGCBtcunVAhA1YtQE3OAgAMwvhLvdYwM9d3A+NaQSu74IGrY5Q4rp
T1yiJwFW7rTmu3fo1TdSouNr2gZ6sfa5/089Rl4ZxMfiRQPv8jJFMdF65qDpJaaM
UNZEfMxUCJXuRVESDDx3P2h0liF0P+1xQiHB4oxsKhkWstV5hk9vhHIiNxjK63sS
r+bh0hxlQHUIO4UtWbZgoSeb1+GVip+I3bUjkMNcLre/unagjwaphGaS8CmyuefS
+Ic4IUkI5ouAfNSEcPw=
=nPoy
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ