lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4AD7308C.8080302@madirish.net>
Date: Thu, 15 Oct 2009 10:24:12 -0400
From: Justin Klein Keane <justin@...irish.net>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Drupal XML Sitemap 6.x-1.1 XSS Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Details of this vulnerability can also be found at
http://www.madirish.net/?article=435

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules. The Site Map module
(http://drupal.org/project/site_map) "provides a site map that gives
visitors an overview of your site. It can also display the RSS feeds for
all blogs and categories."

The Site map module contains a cross site scripting vulnerability
because it does not properly sanitize output of titles before display.

Systems affected:

Drupal 6.14 with Site map 6.x-1.1 was tested and shown to be vulnerable.
Impact:

XSS vulnerabilities may expose site administrative accounts to
compromise which could lead to web server process compromise.

Mitigating factors:

The Site map module must be installed. To carry out a Site map based XSS
exploit the attacker must have 'administer site configuration' permissions.

Proof of Concept:

   1. Install Drupal 6.14
   2. Install Site map 6.x-1.1
   3. Enable the Site map module from Administer -> Site building -> Modules
   4. Click Administer -> Site configuration -> Site map
   5. Enter "<script>alert('xss');</script>" in the 'Site map message'
text area
   6. Enable the site map link in Administer -> Site building -> Menus
- -> Navigation by clicking the 'Enable' checkbox next to 'Site map' and
clicking the 'Save configuration' button
   7. Click on the 'Site map' link in the navigation to observe the
rendered JavaScript

Technical details:

The Site map module fails to sanitize the output of the site map message
before display. Applying the following patch fixes this vulnerability.

Patch

Applying the following patch mitigates these threats.

- --- site_map/site_map.module    2009-09-30 15:09:49.295134033 -0400
+++ site_map/site_map.module      2009-09-30 15:09:30.011119976 -0400
@@ -14,7 +14,7 @@ function site_map_help($path, $arg) {
  switch ($path) {
    case 'sitemap':
      $output = _sitemap_get_message();
- - -      return $output ? '<p>'. filter_xss($output) .'</p>' : '';
+      return $output ? '<p>'. $output .'</p>' : '';
  }
 }

- --
Justin C. Klein Keane
http://www.MadIrish.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iQD1AwUBStcwjJEpbGy7DdYAAQLv4wb+OoBt42FwHYjZ+DQwb2ljQgzHMwiGUy/o
JPVN0dTsjNOIpXz5teivOPaSMIthyB1+zHpeAojqZ1yTeYHPRjxGX8w5PrUVgBPU
gbh7YJ7we6MJV2ERfUhFOswepZOeseAZc1a5XnRgPEaTzd5IFf0x4yWzHl0M01XS
NTOxuvr8HGIxqGqmhLsljjPw8nnBFwc2pMojKRGNj6pbpkgL7hqxObhjBzepi/Eg
d30c7yTZ6Z5LgsaNPkE0OiV1JIj99SBXVLghhQ3mITouIhzSsddpDoHQXDQFwz5X
icA3Z7tgEGo=
=Q0zP
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ