[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4ACF923E.3040000@madirish.net>
Date: Fri, 09 Oct 2009 15:42:54 -0400
From: Justin Klein Keane <justin@...irish.net>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Drupal Wikitools 6.x-1.2 and 5.x-1.3 XSS
Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Full details of this report are also posted at
http://www.madirish.net/?article=430
Description of Vulnerability:
- - - - -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules. The Wikitools module
(http://drupal.org/project/wikitools) "provides some settings to get a
more wiki-like behavior. It aims to be lightweight; all features are
optional, and it provides no database tables of its own."
The Wikitools module contains a cross site scripting vulnerability
because it does not properly sanitize output of content types before
display.
Systems affected:
- - - - -----------------
Wikitools 6.x-1.2 and 5.x-1.3 were tested and shown to be vulnerable.
Impact:
- - - - -------
XSS vulnerabilities may expose site administrative accounts to
compromise which could lead to web server process compromise.
Mitigating factors:
- - - - -------------------
The Wikitools module must be installed. To carry out a Site map based
XSS exploit the attacker must have 'administer content type' permissions.
Proof of Concept:
- - - ---------------------
1. Install Drupal
2. Install Wikitools
3. Create a new content type from Administer -> Content management ->
Content types -> Add content type
4. Enter "<script>alert('xss');</script>" for the content type name and
save the new content type
5. Enable the Wikitools module from Administer -> Site Building -> Modules
6. Click on Administer -> Site configuration -> Wikitools to observe
the JavaScript
Technical details:
- - - ------------------------
The Wikitools module fails to sanitize the output of content type names
before display, leading to an arbitrary HTML injection vulnerability.
Patch for wikitools 5.x-1.3
- - ---------------------------
Applying the following patch mitigates these threats in Wikitools 5.x-1.3.
- - --- wikitools/wikitools.module 2009-03-25 15:15:47.000000000 -0400
+++ wikitools.fixed/wikitools.module 2009-10-09 12:04:03.055556867 -0400
@@ -132,7 +132,7 @@ function wikitools_admin_settings() {
$form['wikitools_node_types'] = array(
'#type' => 'checkboxes',
'#title' => t('Wiki node types'),
- - - '#options' => node_get_types('names'),
+ '#options' => array_map('filter_xss', node_get_types('names')),
'#size' => count(node_get_types('names')),
'#default_value' => wikitools_node_types(),
'#multiple' => TRUE,
Patch for wikitools 6.x-1.2
- - ---------------------------
Applying the following patch mitigates these threats in Wikitools 6.x-1.2.
- - --- wikitools/wikitools.admin.inc 2009-06-17 23:57:33.000000000
- -0400
+++ wikitools/wikitools.admin.inc 2009-10-09 14:38:06.020099834 -0400
@@ -37,7 +37,7 @@ function wikitools_admin_settings() {
$form['wikitools_node_types'] = array(
'#type' => 'checkboxes',
'#title' => t('Wiki node types'),
- - - '#options' => node_get_types('names'),
+ '#options' => array_map('filter_xss', node_get_types('names')),
'#default_value' => wikitools_node_types(),
'#multiple' => TRUE,
'#description' => t('Select the node types which will be affected
by the specified options. If you select multiple node types, all nodes
of these types will be searched for when a wikipath is entered. If a
wikipage doesn\'t exist, an option to create any of these types will be
given.'),
Vendor Response
- - ---------------
In the past the vendor has responded that vulnerabilities requiring
'administer content types' privileges have already been addressed by
SA-CORE-2009-002 (http://drupal.org/node/372836) and thus are not
classified as security vulnerabilities, but rather as bugs.
- --
Justin C. Klein Keane
http://www.MadIrish.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org
iQD1AwUBSs+SPpEpbGy7DdYAAQIBLAcAlXKFu+tQfvEGp3D4SZ+ABLyEMon0xweC
++PCNDYT1zY3/v3A/nCekV0ebTgwwP/AXjjtJULD7TlbqI1nWxIUBDn2a4CM9TWs
u8rUsFoySv5oq2g00c6uREF/8M8xdicSD5YL71C1/34iDjaltUci4OyxejHW1w/7
Nfk2dMLl1odnybgBBCZkgT1Kf1fa8wq+2CVkKkgcQGVKCcgawF0R36A6uQlwB3Bc
a7lvDdF2sBIlzskiNYitmbGMYHQUMGnQH6B1eoxajcKkGPi4CGSTaMd4UVAL/u4m
37BItJX+Wng=
=bsff
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists