[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4A845F7B.2060008@madirish.net>
Date: Thu, 13 Aug 2009 14:46:19 -0400
From: Justin Klein Keane <justin@...irish.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Drupal Print Module Multiple Vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Vulnerability Report
Date of Original Vendor Contact: May 27, 2009
Author: Justin C. Klein Keane <justin@...irish.net>
Details of this vulnerability are also posted at the public URL
http://lampsecurity.org/drupal-print-module-vulnerabilities
Description of Vulnerability:
- - -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules. The Printer, e-mail and PDF versions (hereafter
referred to as Print) module (http://drupal.org/project/print) allows
for the generation of printer friendly versions of nodes, PDF version of
nodes, and the sending of nodes to e-mail recipients. The Print module
contains numerous cross site scripting (XSS) vulnerabilities:
The Print module contains a XSS vulnerability because it does not
properly sanitize the output of the footers in printer friendly views.
This allows users with 'administer print' permissions to inject
arbitrary HTML in the footer field that is rendered whenever the printer
friendly version of any node is displayed.
The Print module also contains a XSS vulnerability due to the fact that
'Stylesheet URL' input is not properly sanitized when displayed. This
allows malicious users the ability to inject external stylesheet
locations into the link tag displayed on printer friendly versions of
nodes. This vulnerability, combined with Internet Explorer support for
"expression" in CSS allows for XSS attacks.
The print module also contains a XSS vulnerability due to the fact that
the 'site name' is not properly sanitized when displaying e-mail
confirmation in the "Thank you for spreading the word about [site_name]"
area. The print module also contains a XSS vulnerability due to the
fact that it does not properly sanitize the 'Thank You Message:' input.
The print module also contains a XSS vulnerability due to the fact that
it does not properly sanitize node titles for display in the breadcrumbs
on printer friendly versions of nodes.
The print module also contains a XSS vulnerability due to the fact that
it does not properly sanitize the 'font family' setting when displaying
PDF versions of nodes.
Systems affected:
- - -----------------
Drupal 6.12 with Print 6.x-1.7 and TCPDF 4.6.012 was tested and shown to
be vulnerable to footer XSS injection. Drupal 6.12 with Print 6.x-1.7
and IE 6 was tested and shown to be vulnerable to link XSS injection.
Additional testing indicated that the 5.x branch of the Print module is
also vulnerable. Versions of Drupal more recent than those tested are
likely affected as well.
Impact:
- - -------
XSS vulnerabilities may expose site administrative accounts to
compromise which could lead to web server process compromise.
Mitigating factors:
- - -------------------
Print must be installed and enabled. Attacker must have 'administer
print' permissions in order to carry out the proof of concept exploit
detailed below. Site administration permissions are required to carry
out the site name injection described in the proof of concept below.
Internet Explorer is vulnerable to the malicious style sheet inclusion
proof of concept detailed below, other browsers may not be affected
depending on their support for the 'expression' statement in cascading
style sheets (CSS). Note that the proof of concept provided utilizes
known attack vectors, other vectors may exist.
Proof of concept:
- - -----------------
1. Install Drupal 6.12.
2. Install Print and enable all Print functionality through Administer
- - -> Modules. Install TCPDF per the Print module INSTALL.txt
3. In Administer -> Site configuration set the site name to
"<script>alert('site name');</script>"
4. Create a new content node with the title "<script>alert('node
title');</script>"
5. Click "Save configuration"
6. Create malicious stylesheet at arbitrary URL (for this PoC the
stylesheet is at http://192.168.0.2/style.css). Include the following:
BODY {
width:expression(alert("stylesheet xss"));
}
7. Click on Administer -> Site Configuration -> Printer, e-mail and PDF
versions
8. Select the 'Settings' link
9. Fill in "http://192.168.0.2/style.css' a='" for the "Stylesheet URL"
10. Expand the "Footer options" input area
11. Check the "User-specified" radio button
12. Fill in "<script>alert('footer xss');</script>" for the
"User-specified:" text input
13. Click the "Save configuration" button
14. Navigate to the homepage
15. View the node created in step 3 above and click the
"Printer-friendly version" link
16. Observe three JavaScript alerts in IE, other browsers may only
display the node title and footer XSS alerts.
17. Return to the node view and click the "Send to friend" link. Fill
in arbitrary values and click the "Send e-mail" button
18. Observe the site name JavaScript alert
19. Modify the PDF settings from Administer -> Site configuration ->
Printer, e-mail and PDF versions.
20. Fill in "dejavusans' <script>alert('font family');</script>" in the
"Font Family:" text input.
21. Click "Save configuration"
22. View the node created in step 4 above, click the "PDF version" link
23. Observe the JavaScript alert
24. Note that this causes a white screen and TCPDF error
Timeline
- --------
May 27 2009 - Issue reported to vendor
June 1 2009 - Originator re-contacts vendor to confirm receipt
June 1 2009 - Vendor confirms receipt
June 9 2009 - Originator inquires as to possibility of June 10 fix
June 9 2009 - Vendor replies maintainer contacted but June 10 fix unlikely
July 24 2009 - Vendor reports a June 29 fix
July 29 2009 - Vendor reports additional work necessary, fix delayed
August 13 2009 - after two weeks and no update Originator goes Full
Disclosure per terms of RFP disclosure policy .2.0
- --
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org
iPwEAQECAAYFAkqEX3sACgkQkSlsbLsN1gC2EwcAsQ9yy6LLD1/i4izR2dh+5Mxw
D4XQVBy7ZdfNrSnq7ba2CJoGcMjuHKOxTzIgdh8NrQLNiQvYLRMY3EXYx4XVS3Ke
+zHSPeRsrbH5Vt3LUiRK2AWPE6qBJ6ucNBkiaazV++AYJe8pIvcnouWy56mvP3cS
zLHjj/gASFZNeWDrou640n1VSKVejeLmqp3xfGrmXL+sVpomD4qQlMSmFbnd69Zs
L/fXxoqG1J8C0BfErOQzZwXiOahukKyOQEhBALtMEhp90A/CFzxmf9r5G36qYyJS
qfKJMnpZlf950XMBOPM=
=C/pM
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists