lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <1e85415f1001140653y1d1a76bel14a959c3dc73be5a@mail.gmail.com>
Date: Thu, 14 Jan 2010 09:53:21 -0500
From: Marty Barbella <martybarbella@...il.com>
To: full-disclosure@...ts.grok.org.uk
Cc: bugtraq@...urityfocus.com
Subject: XSS Vulnerability in Drupal's Node Blocks
	contributed module (6.x-1.3 and 5.x-1.1)

XSS Vulnerability in Drupal's Node Blocks contributed module (6.x-1.3
and 5.x-1.1)

Discovered by Martin Barbella <martybarbella@...il.com>

Description of Vulnerability:
-----------------------------
Drupal is a free software package that allows an individual or a
community of users to easily publish, manage and organize a wide
variety of content on a website. (From: http://drupal.org/about)

The Node Blocks module allows users to specify content type(s) as
being a block. This allows the content managers of the site to edit
the block text and title without having to access the block
administration page. (From: http://drupal.org/project/nodeblock)

The block title is not properly sanitized when a user displays a block
created from a node, resulting in a cross site scripting
vulnerability.


Systems affected:
-----------------
This has been confirmed in Node Blocks 6.x-1.3 and 5.x-1.1. Previous
versions may also be affected.


Impact:
-------
This is an example of a stored cross site scripting vulnerability.
Stored attacks are those where the injected code is permanently stored
on the target servers, such as in a database, in a message forum,
visitor log, comment field, etc. The victim then retrieves the
malicious script from the server when it requests the stored
information.  (From OWASP:
http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29)


Mitigating factors:
-------------------
A user must be able to create nodes of a type used by Node Blocks, and
this node must be added as a block by a user with the administer
blocks permission.


Proof of concept:
-----------------
1. Install the Node Blocks module
2. Create a content type with available as block enabled
3. As a user with permission to create nodes of this type, create a
node with the title "<script>alert('XSS')</script>"
4. As a user that can administer blocks, add this block to a region
5. Note that an alert box will be displayed when the block is
generated on a page


Solution:
---------
Install version 6.x-1.4 or 5.x-1.2 of the Node Blocks module.


Timeline:
---------
2009-12-29 - Drupal Security notified.
2010-01-13 - Security announcement released on drupal.org
(http://drupal.org/node/683598)


Credit:
-------
This vulnerability was reported by Martin Barbella to Khalid
Baheyeldin at Drupal Security, and fixed by Thomas Turnbull.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ