[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4ACF8D03.1090101@madirish.net>
Date: Fri, 09 Oct 2009 15:20:35 -0400
From: Justin Klein Keane <justin@...irish.net>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Drupal 5.20 and 6.14 Filter Module (Core) XSS
Vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The full text of this advisory is also posted at
http://www.madirish.net/?article=431
Description of Vulnerability:
- - - -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules. Drupal 5.20 and Drupal 6.14 contain several core
modules that enable basic functionality, including the filter module.
The filter module in Drupal 5.20 and 6.14 contains a cross site
scripting (XSS) vulnerability because it does not properly sanitize the
'Site name' variable before display.
Systems affected:
- - - -----------------
Drupal 5.20 and Drupal 6.14 were tested and shown to be vulnerable.
Impact:
- - - -------
XSS vulnerabilities may expose site administrative accounts to
compromise which could lead to web server process compromise.
Mitigating factors:
- - - -------------------
To carry out a filter based XSS exploit the attacker must have
'administer site configuration' permissions.
Proof of Concept 1:
- - ---------------------
1. Install Drupal
2. Install Wikitools
3. Change the site name from Administer -> Site configuration -> Site
information
4. Enter "<script>alert('xss');</script>" for the 'Name' and click
'Save configuration'
5. View the new content creation form by clicking Create content -> Page
6. Click the 'Input format' link to expand that area of the form
7. Click the 'More information about formatting options' link (or
browse to the '?q=filter/tips' URL)
8. Observe the rendered Javascript
Patch for Drupal 6
- ------------------
Applying the following patch mitigates these threats in Drupal 6.14.
- --- filter/filter.module 2009-10-09 15:06:20.326103353 -0400
+++ filter/filter.module 2009-10-09 15:09:21.611265554 -0400
@@ -188,7 +188,7 @@ function filter_filter_tips($delta, $for
<p>This site allows HTML content. While learning all of HTML may feel
intimidating, learning how to use a very small number of the most basic
HTML "tags" is very easy. This table provides examples for each tag that
is enabled on this site.</p>
<p>For more information see W3C\'s <a
href="http://www.w3.org/TR/html/">HTML Specifications</a> or use your
favorite search engine to find other sites that explain HTML.</p>');
$tips = array(
- - 'a' => array( t('Anchors are used to make links to
other pages.'), '<a href="'. $base_url .'">'. variable_get('site_name',
'Drupal') .'</a>'),
+ 'a' => array( t('Anchors are used to make links to
other pages.'), '<a href="'. $base_url .'">'.
filter_xss(variable_get('site_name', 'Drupal')) .'</a>'),
'br' => array( t('By default line break tags are
automatically added, so use this tag to add additional ones. Use of this
tag is different because it is not used with an open/close pair like all
the others. Use the extra " /" inside the tag to maintain XHTML 1.0
compatibility'), t('Text with <br />line break')),
'p' => array( t('By default paragraph tags are
automatically added, so use this tag to add additional ones.'), '<p>'.
t('Paragraph one.') .'</p> <p>'. t('Paragraph two.') .'</p>'),
'strong' => array( t('Strong'), '<strong>'. t('Strong')
.'</strong>'),
Patch for Drupal 5
- ------------------
Applying the following patch mitigates these threats in Drupal 5.20.
- --- filter/filter.module 2009-10-09 15:12:28.781103173 -0400
+++ filter/filter.module 2009-10-09 15:12:37.655254084 -0400
@@ -170,7 +170,7 @@ function filter_filter_tips($delta, $for
<p>This site allows HTML content. While learning all of HTML may feel
intimidating, learning how to use a very small number of the most basic
HTML "tags" is very easy. This table provides examples for each tag that
is enabled on this site.</p>
<p>For more information see W3C\'s <a
href="http://www.w3.org/TR/html/">HTML Specifications</a> or use your
favorite search engine to find other sites that explain HTML.</p>');
$tips = array(
- - 'a' => array( t('Anchors are used to make links to
other pages.'), '<a href="'. $base_url .'">'. variable_get('site_name',
'Drupal') .'</a>'),
+ 'a' => array( t('Anchors are used to make links to
other pages.'), '<a href="'. $base_url .'">'.
filter_xss(variable_get('site_name', 'Drupal')) .'</a>'),
'br' => array( t('By default line break tags are
automatically added, so use this tag to add additional ones. Use of this
tag is different because it is not used with an open/close pair like all
the others. Use the extra " /" inside the tag to maintain XHTML 1.0
compatibility'), t('Text with <br />line break')),
'p' => array( t('By default paragraph tags are
automatically added, so use this tag to add additional ones.'), '<p>'.
t('Paragraph one.') .'</p> <p>'. t('Paragraph two.') .'</p>'),
'strong' => array( t('Strong'), '<strong>'.
t('Strong'). '</strong>'),
Vendor Response
- ----------------
According to Vendor website this vulnerability requires "advanced
permissions" and will not be addressed (ref http://drupal.org/node/475848).
- --
Justin C. Klein Keane
http://www.MadIrish.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org
iQD1AwUBSs+NA5EpbGy7DdYAAQJNHwb/SEhOQ48jxDPv0xvt42BYRPYcVyXeAXQT
zLv6MIXh9ufkAfOPYfFcPLa85H0QKavD9KhKqO5+6xLCAoaXsFkt28r7aik7uHSb
kmeTFZ6wIAfCdTG86q7IsumWng0ViAMTjbLK/2Q5m8d7B2rJaZmMyxHY1yWIkaFy
4F4rJq9Ij4apTrQhFe3jK3jNFHNa+qaR5LSiWG5Ss9/6jxzMuAZBjQcCQyerDe/C
ZyvWs27F7lylCP+2R/p8qkJ0W+2aKJuZ/Nl0Lk8BDLXZ1Fa5OBZPz4Ihjw78ZHP4
HoryXpk2v0k=
=D+O+
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists