lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4A2D6350.5050000@madirish.net>
Date: Mon, 08 Jun 2009 15:15:28 -0400
From: Justin Klein Keane <justin@...irish.net>
To: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Drupal 6 Email Field XSS Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vulnerability Summary Report

Author: Justin C. Klein Keane <justin@...irish.net>
Vendor Response: See below

Details of this vulnerability are also posted at the public URL
http://lampsecurity.org/drupal-6-email-field-xss-vulnerability

Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules. The Email Field module
(http://drupal.org/project/email) is a module that extends the Content
Construction Kit (CCK) module (http://drupal.org/project/cck).  It
allows for a CCK field type for e-mail.

The Email Field module contains a cross site scripting vulnerability due
to the fact that it fails to sanitize help text entered by users during
content type configuration.

Systems affected:
- -----------------
Drupal 6.12 with Email Field 6.x-1.1 was tested and shown to be vulnerable.

Impact:
- -------
XSS vulnerabilities may expose site administrative accounts to
compromise which could lead to web server process compromise. SQL
injection attack can manipulate the Drupal database, compromising data,
exposing credentials, and could allow injection of XSS attacks in node
content.

Mitigating factors:
- -------------------
The CCK and Email Field modules must be installed must be installed.  To
carry out the proof of concept below the attacker must authenticate as a
user with 'administer content type' permissions.  Other attack vectors
may exist.

Proof of Concept:
- -----------------
1.  Install the CCK and Email field modules
1.  Log in as a user with 'Administer content types' privilege
2.  Click Administer -> Content Types
3.  Click 'Add a new content type' link
4.  Fill in arbitrary values
5.  Click 'Save content type' button
6.  Click 'manage fields' under the Operations column on the 'Administer' ->
'Content management' screen for the new content type
7.  Fill in a new field label and field name
8.  Select 'Email' for the type of data to story
9.  Click the 'Save' button
10. In the "Help text:" field enter "<script>alert('xss');</script>"
11. Click the 'Save field settings' button
12. Click the 'Configure' link next to the new 'Email' type
13. Observe JavaScript alert

- -or-

12. Click 'Create content' link
13. Click link for newly created type
14. Observe JavaScript alert

Vendor Response
- ---------------
Drupal security has consistently pointed to
http://drupal.org/node/372836 in response to vulnerabilities that
require 'Administer Content Type' permissions

Follow up
- ---------
The following patch was submitted to the module maintainer and should
mitigate the vulnerability (Ref: http://drupal.org/node/485492):

- --- email/email.module	2008-08-12 04:12:02.000000000 -0400
+++ email_fixed/email.module	2009-06-08 15:03:40.000000000 -0400
@@ -221,7 +221,7 @@ function email_textfield_process($elemen
   $element[$field_key] = array(
     '#type' => 'textfield',
     '#title' => t($field['widget']['label']),
- -    '#description' => t($field['widget']['description']),
+    '#description' => check_plain(t($field['widget']['description'])),
     '#required' => $element['#required'],
     '#maxlength' => 255,
     '#size' => !empty($field['widget']['size']) ?
$field['widget']['size'] : 60,

- --
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iPwEAQECAAYFAkotY1AACgkQkSlsbLsN1gB2RQcAqXaLO4AcpgXGsQcJi2QnGVDc
A6eF3Bv2fu+YoMqpECsf4QjU8wimiwmlm3cOBtJOLpymwiL4Pg2it+muRfYbNcLq
gS9+CCHjpTtYOygEBpy4d/mCxKxA8BfFQoEjixTvK57T05MxVevGgMjvFkblk6VZ
RwUQn5YnA61NSx4HUz7E2zvK0ftT0T0HxwaKkCiccoA896dGDmByBk/bplQ1C+BM
dAtco6G3MhT615k2c1T0TzxXx23+Yw5bLbmsXU1ptDbOhI1CjkAWxM+ZfCy4VB6C
GGyK+UqW/h8udPjyTXE=
=XKXQ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ