[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4ACF88A4.6060904@madirish.net>
Date: Fri, 09 Oct 2009 15:01:56 -0400
From: Justin Klein Keane <justin@...irish.net>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Drupal 5.20 and 6.14 (Core) XSS Vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The full text of this disclosure is posted at
http://www.madirish.net/?article=429
Description of Vulnerability:
- - - -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules.
Drupal 5.20 and 6.14 fail to properly filter the 'Site name' and 'Site
slogan' variables before display in the HTML headers of the page display.
Systems affected:
- - - -----------------
Drupal 5.20 and Drupal 6.14 were tested and shown to be vulnerable.
Impact:
- - - -------
XSS vulnerabilities may expose site administrative accounts to
compromise which could lead to web server process compromise.
Mitigating factors:
- - - -------------------
To carry out a filter based XSS exploit the attacker must have
'administer site configuration' permissions.
Proof of Concept 1:
- - ---------------------
1. Install Drupal
2. Change the site name via Administer -> Site configuration -> Site
Information
3. Enter '</title><script>alert('xss');</script>' for the 'Name' value
4. Click the 'Save configuration' button to view the JavaScript
Technical details:
- - ------------------------
Drupal fails to sanitize the output of the site name in the HTML title
tag, if the site name contains a closing title tag (i.e. "</title>")
this will interrupt the HTML rendering in most browsers, allowing
attackers to inject JavaScript. Although in many cases the JavaScript
is properly escaped during the site name display, if sites use a
template that obfuscates this display (such as those that use an image
layer and CSS to hide the actual text of the site name) there may be no
indication that an attack is occurring. This vulnerability also affects
the 'Site slogan' value during the homepage display.
The source of this vulnerability in Drupal 5.20 is the failure to
sanitize output of the variable_get('site_name', 'Drupal) call on line
204 of themes/engines/phptemplate.engine. Similarly output is not
sanitized on lines 207 and 209.
The source of this vulnerability in Drupal 6.14 is the failure to
sanitize output of the variable_get('site_name', 'Drupal) call on lines
1799 and 1802 of includes/theme.inc. Similarly output of the site
slogan is not sanitized on line 1804.
Patch for Drupal 5.20
- ----------------------
Applying the following patch mitigates these threats in Drupal 5.20.
- --- themes/engines/phptemplate/phptemplate.engine 2009-05-13
12:36:22.000000000 -0400
+++ themes/engines/phptemplate/phptemplate.engine 2009-10-09
13:35:56.167099573 -0400
@@ -201,12 +201,12 @@ function phptemplate_page($content, $sho
}
// Construct page title
if (drupal_get_title()) {
- - $head_title = array(strip_tags(drupal_get_title()),
variable_get('site_name', 'Drupal'));
+ $head_title = array(strip_tags(drupal_get_title()),
strip_tags(variable_get('site_name', 'Drupal')));
}
else {
- - $head_title = array(variable_get('site_name', 'Drupal'));
+ $head_title = array(strip_tags(variable_get('site_name', 'Drupal')));
if (variable_get('site_slogan', '')) {
- - $head_title[] = variable_get('site_slogan', '');
+ $head_title[] = strip_tags(variable_get('site_slogan', ''));
}
}
Patch for Drupal 6.14
- ----------------------
Applying the following patch mitigates these threats in Drupal 6.14.
- --- includes/theme.inc 2009-06-18 08:04:04.000000000 -0400
+++ includes/theme.inc 2009-10-09 13:42:40.523125334 -0400
@@ -1796,12 +1796,12 @@ function template_preprocess_page(&$vari
// Construct page title
if (drupal_get_title()) {
- - $head_title = array(strip_tags(drupal_get_title()),
variable_get('site_name', 'Drupal'));
+ $head_title = array(strip_tags(drupal_get_title()),
strip_tags(variable_get('site_name', 'Drupal')));
}
else {
- - $head_title = array(variable_get('site_name', 'Drupal'));
+ $head_title = array(strip_tags(variable_get('site_name', 'Drupal')));
if (variable_get('site_slogan', '')) {
- - $head_title[] = variable_get('site_slogan', '');
+ $head_title[] = strip_tags(variable_get('site_slogan', ''));
}
}
$variables['head_title'] = implode(' | ', $head_title);
Vendor Response:
- ----------------
Vendor reports that this issue is already public (Ref
http://drupal.org/node/461938) and requires advanced permissions
(http://drupal.org/node/475848) so will not be addressed with an SA.
- --
Justin C. Klein Keane
http://www.MadIrish.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org
iQD1AwUBSs+IpJEpbGy7DdYAAQIdhgb/QQ1ez7M8TsZZZOt31FV4WvEngvviSkmX
l9Bitw8v17cfDnW8ZV/z2QCO51zQRkZrpErTHAV4uNpNKPC++DTkGgBDlhBdNQX5
VMgfHxT5NQzqpv/haIh9AK4QDObSkaOZ76A+fzS6EYTawTyvhhw/dFDh0tIbrjnt
U3HeLJiPVz1baJtwH3wMe0u8QQBqBBmVsIP+rYIBB5viieI/wtml2r/cpBuyZfN3
GVsxiz2qhvlwIWRQvQCPD3EiaeIdaP+z3Pt/WhiRKCiYWH8F8gulalUJc5o/T0zr
DuHHaaHwOaM=
=BArb
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists