[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4A301947.5030003@madirish.net>
Date: Wed, 10 Jun 2009 16:36:23 -0400
From: Justin Klein Keane <justin@...irish.net>
To: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Drupal Taxonomy Manager Module XSS Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Vulnerability Summary Report
Author: Justin C. Klein Keane <justin@...irish.net>
Vendor Response: See below
Details of this vulnerability are also posted at the public URL
http://lampsecurity.org/drupal-6-taxonomy-manager-xss-vulnerability
Description of Vulnerability:
- ---------------------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules. The Taxonomy Manager is a module that "provides an
[sic] powerful interface for managing a taxonomy vocabulary. A
vocabulary gets displayed in a dynamic tree view, where parent terms can
be expanded to list their nested child terms or can be collapsed." The
Taxonomy Manager suffers from a cross site scripting (XSS) vulnerability
because it fails to properly sanitize the "Vocabulary name" during
output, allowing for the injection of arbitrary HTML.
Systems affected:
- --------------------------
Drupal 6.12 with Taxonomy Manager 6.x-1.0 was tested and shown to be
vulnerable.
Impact:
- ----------
XSS vulnerabilities may expose site administrative accounts to
compromise which could lead to web server process compromise.
Mitigating factors:
- -------------------------
Taxonomy Manager must be installed and enabled. Attacker must have
'administer taxonomy' permissions in order to carry out the proof of
concept exploit detailed below. Note that the proof of concept provided
utilizes known attack vectors, other vectors may exist.
Proof of concept:
- -------------------------
1. Install Drupal 6.12.
2. Install and enable the Taxonomy Manager module
3. Click on 'Administer' -> 'Taxonomy Manager'
4. Click 'Add new vocabulary'
5. Fill in "<script>alert('xss');</script>' for the 'Vocabulary name:'
textarea value
6. Enter arbitrary data for the rest of the input
7. Click 'Save'
8. In Administer -> Content management -> taxonomy click 'add terms'
next to the new taxonomy
9. Fill in arbitrary values for the new term
10.Click 'Save'
11. Click on Administer -> Content management -> Taxonomy Manager
12. Click the link under 'Vocabularies:' for the new vocabulary
13. View JavaScript alert.
Vendor Response:
- ---------------------------
Upgrade to latest version of Taxonomy Manager module -
http://drupal.org/node/487818.
- --
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iPwEAQECAAYFAkowGUcACgkQkSlsbLsN1gCD/Qb/cn4hgOe5N5o65ReXGg3gqnQf
wQCuNQ7Mav0GNZeLEOQ+GjvlSXRyKmKYOTWDNVcJZaVCznYynh7/ZFHooeQDkGw0
jf6w+XgLeCjgELRXKWlB7k3zOtWK7pqmvJRgsqgjmMiVAq8re+aois7kwxT1CPd+
iopqZPbkPF1Vh7sNugxkD6wjfBc1g1MtEUIUJqFWgLsK07vCVHyhwECxxAiw3Lpa
e6qKbbivhKoV/EQh6quGwWuTplzI7Nt8XMlEUm2hxIWB6MM0dFD4W0AoygWiIwG1
xh00P0zPeGZcL20JWRU=
=veg8
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists