lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 16 Oct 2009 08:29:40 -0400
From: Justin Klein Keane <justin@...irish.net>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Drupal XML Sitemap 6.x-1.1 XSS Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dave Reid of Drupal security correctly pointed out to me that this
vulnerability is for "Sitemap" module, not "XML Sitemap" as specified in
the subject line.  There are just so many that I lose track sometimes...
 Props to Dave for spotting my error and apologies for any confusion.

Justin C. Klein Keane
http://www.MadIrish.net


Justin Klein Keane wrote:
> Details of this vulnerability can also be found at
> http://www.madirish.net/?article=435
> 
> Description of Vulnerability:
> 
> Drupal (http://drupal.org) is a robust content management system (CMS)
> written in PHP and MySQL that provides extensibility through various
> third party modules. The Site Map module
> (http://drupal.org/project/site_map) "provides a site map that gives
> visitors an overview of your site. It can also display the RSS feeds for
> all blogs and categories."
> 
> The Site map module contains a cross site scripting vulnerability
> because it does not properly sanitize output of titles before display.
> 
> Systems affected:
> 
> Drupal 6.14 with Site map 6.x-1.1 was tested and shown to be vulnerable.
> Impact:
> 
> XSS vulnerabilities may expose site administrative accounts to
> compromise which could lead to web server process compromise.
> 
> Mitigating factors:
> 
> The Site map module must be installed. To carry out a Site map based XSS
> exploit the attacker must have 'administer site configuration' permissions.
> 
> Proof of Concept:
> 
>    1. Install Drupal 6.14
>    2. Install Site map 6.x-1.1
>    3. Enable the Site map module from Administer -> Site building -> Modules
>    4. Click Administer -> Site configuration -> Site map
>    5. Enter "<script>alert('xss');</script>" in the 'Site map message'
> text area
>    6. Enable the site map link in Administer -> Site building -> Menus
> -> Navigation by clicking the 'Enable' checkbox next to 'Site map' and
> clicking the 'Save configuration' button
>    7. Click on the 'Site map' link in the navigation to observe the
> rendered JavaScript
> 
> Technical details:
> 
> The Site map module fails to sanitize the output of the site map message
> before display. Applying the following patch fixes this vulnerability.
> 
> Patch
> 
> Applying the following patch mitigates these threats.
> 
> --- site_map/site_map.module    2009-09-30 15:09:49.295134033 -0400
> +++ site_map/site_map.module      2009-09-30 15:09:30.011119976 -0400
> @@ -14,7 +14,7 @@ function site_map_help($path, $arg) {
>   switch ($path) {
>     case 'sitemap':
>       $output = _sitemap_get_message();
> - -      return $output ? '<p>'. filter_xss($output) .'</p>' : '';
> +      return $output ? '<p>'. $output .'</p>' : '';
>   }
>  }
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iQD1AwUBSthnM5EpbGy7DdYAAQI8DwcAgwYEIG/7iuccRew6/Y5gg3Nu1yHBX0A2
/Qi4xItTgh47V1Gbe/lfxeFJavyV4ofXXxfOdnvoK1v9+GFetqDnL8o5836tN8ov
Xy4k7J+zcGz0iOH+eJggIFn6AfK+NpRlFaghYpEFnnHdaS9iTUzqi0hIaDlyDypT
9p9+ClsvHbv1jlmG+MhkNXtThAkAzxw3ZH3CNRbXEqbSK+LOknzsgPRBIdQvjK+z
aJp6kCB6GV2M8KeglHYCSzDQNag2GZBzALGQXaDiR8poXutxzP0egzeBmeQ0PZjx
qTDjFUuJrFY=
=lSK5
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ