lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4ACF88A4.6060904@madirish.net>
Date: Fri, 09 Oct 2009 15:01:56 -0400
From: Justin Klein Keane <justin@...irish.net>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Drupal 5.20 and 6.14 (Core) XSS Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The full text of this disclosure is posted at
http://www.madirish.net/?article=429

Description of Vulnerability:
- - - -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules.

Drupal 5.20 and 6.14 fail to properly filter the 'Site name' and 'Site
slogan' variables before display in the HTML headers of the page display.

Systems affected:
- - - -----------------
Drupal 5.20 and Drupal 6.14 were tested and shown to be vulnerable.

Impact:
- - - -------
XSS vulnerabilities may expose site administrative accounts to
compromise which could lead to web server process compromise.

Mitigating factors:
- - - -------------------
To carry out a filter based XSS exploit the attacker must have
'administer site configuration' permissions.

Proof of Concept 1:
- - ---------------------
1.  Install Drupal
2.  Change the site name via Administer -> Site configuration -> Site
Information
3.  Enter '</title><script>alert('xss');</script>' for the 'Name' value
4.  Click the 'Save configuration' button to view the JavaScript

Technical details:
- - ------------------------
Drupal fails to sanitize the output of the site name in the HTML title
tag, if the site name contains a closing title tag (i.e. "</title>")
this will interrupt the HTML rendering in most browsers, allowing
attackers to inject JavaScript.  Although in many cases the JavaScript
is properly escaped during the site name display, if sites use a
template that obfuscates this display (such as those that use an image
layer and CSS to hide the actual text of the site name) there may be no
indication that an attack is occurring.  This vulnerability also affects
the 'Site slogan' value during the homepage display.

The source of this vulnerability in Drupal 5.20 is the failure to
sanitize output of the variable_get('site_name', 'Drupal) call on line
204 of themes/engines/phptemplate.engine.  Similarly output is not
sanitized on lines 207 and 209.

The source of this vulnerability in Drupal 6.14 is the failure to
sanitize output of the variable_get('site_name', 'Drupal) call on lines
1799 and 1802 of includes/theme.inc.  Similarly output of the site
slogan is not sanitized on line 1804.

Patch for Drupal 5.20
- ----------------------
Applying the following patch mitigates these threats in Drupal 5.20.

- --- themes/engines/phptemplate/phptemplate.engine   2009-05-13
12:36:22.000000000 -0400
+++ themes/engines/phptemplate/phptemplate.engine     2009-10-09
13:35:56.167099573 -0400
@@ -201,12 +201,12 @@ function phptemplate_page($content, $sho
   }
   // Construct page title
   if (drupal_get_title()) {
- -    $head_title = array(strip_tags(drupal_get_title()),
variable_get('site_name', 'Drupal'));
+    $head_title = array(strip_tags(drupal_get_title()),
strip_tags(variable_get('site_name', 'Drupal')));
   }
   else {
- -    $head_title = array(variable_get('site_name', 'Drupal'));
+    $head_title = array(strip_tags(variable_get('site_name', 'Drupal')));
     if (variable_get('site_slogan', '')) {
- -      $head_title[] = variable_get('site_slogan', '');
+      $head_title[] = strip_tags(variable_get('site_slogan', ''));
     }
   }

Patch for Drupal 6.14
- ----------------------
Applying the following patch mitigates these threats in Drupal 6.14.

- --- includes/theme.inc      2009-06-18 08:04:04.000000000 -0400
+++ includes/theme.inc        2009-10-09 13:42:40.523125334 -0400
@@ -1796,12 +1796,12 @@ function template_preprocess_page(&$vari

   // Construct page title
   if (drupal_get_title()) {
- -    $head_title = array(strip_tags(drupal_get_title()),
variable_get('site_name', 'Drupal'));
+    $head_title = array(strip_tags(drupal_get_title()),
strip_tags(variable_get('site_name', 'Drupal')));
   }
   else {
- -    $head_title = array(variable_get('site_name', 'Drupal'));
+    $head_title = array(strip_tags(variable_get('site_name', 'Drupal')));
     if (variable_get('site_slogan', '')) {
- -      $head_title[] = variable_get('site_slogan', '');
+      $head_title[] = strip_tags(variable_get('site_slogan', ''));
     }
   }
   $variables['head_title']        = implode(' | ', $head_title);

Vendor Response:
- ----------------
Vendor reports that this issue is already public (Ref
http://drupal.org/node/461938) and requires advanced permissions
(http://drupal.org/node/475848) so will not be addressed with an SA.


- --
Justin C. Klein Keane
http://www.MadIrish.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iQD1AwUBSs+IpJEpbGy7DdYAAQIdhgb/QQ1ez7M8TsZZZOt31FV4WvEngvviSkmX
l9Bitw8v17cfDnW8ZV/z2QCO51zQRkZrpErTHAV4uNpNKPC++DTkGgBDlhBdNQX5
VMgfHxT5NQzqpv/haIh9AK4QDObSkaOZ76A+fzS6EYTawTyvhhw/dFDh0tIbrjnt
U3HeLJiPVz1baJtwH3wMe0u8QQBqBBmVsIP+rYIBB5viieI/wtml2r/cpBuyZfN3
GVsxiz2qhvlwIWRQvQCPD3EiaeIdaP+z3Pt/WhiRKCiYWH8F8gulalUJc5o/T0zr
DuHHaaHwOaM=
=BArb
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ