lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 27 Apr 2010 12:07:17 -0400
From: "Justin C. Klein Keane" <justin@...irish.net>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: XSS in Drupal Better Formats Module

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL.  The Drupal Better Formats module
(http://drupal.org/project/better_formats) contains a cross site
scripting (XSS) vulnerability due to the fact that it fails to sanitize
format names before display.

Systems affected:
- -----------------
Drupal 6.16 with Better Formats 6.x-1.2 was tested and shown to be
vulnerable

Impact
- ------
User could inject arbitrary scripts into pages affecting site users.
This could result in administrative account compromise leading to web
server process compromise.

Mitigating factors:
- -------------------
In order to execute arbitrary script injection malicious users must have
'Administer filters' permission.  The Drupal security team has
classified vulnerabilities that require this permission
(http://drupal.org/node/475848) as "display bugs" because access to this
permission allows for alteration of input specifications that could
allow users with permissions to create content to craft arbitrary PHP.
However, in a situation where a user had "administer filters" permission
but could not create content this vulnerability could be used to attack
other Drupal users.

Patch:
- ------------------------------------------
Applying the following patch mitigates this issue in version 6.x-1.2.

- --- better_formats/better_formats.module	2010-02-05 08:59:18.000000000
-0500
+++ better_formats/better_formats.module	2010-04-27 11:35:53.444189426 -0400
@@ -537,7 +537,7 @@ function better_formats_filter_form($val

     $form = array(
       '#type' => 'fieldset',
- -      '#title' => $fieldset_title,
+      '#title' => check_plain($fieldset_title),
       '#collapsible' => $collapsible,
       '#collapsed' => $collapsed,
       '#weight' => $weight,
@@ -551,7 +551,7 @@ function better_formats_filter_form($val
       $parents_for_id = array_merge($parents, array($format->format));
       $form[$format->format] = array(
         '#type' => 'radio',
- -        '#title' => $format->name,
+        '#title' => check_plain($format->name),
         '#default_value' => $default,
         '#return_value' => $format->format,
         '#parents' => $parents,

- -- 
Justin C. Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPsEAQECAAYFAkvXC7UACgkQkSlsbLsN1gAYFQb4mjTDJY/6KP2JQIv0pK9H/20s
g/+dwvKFc78AQMMKqDzi3rfqF4L+RzE6bHPsKHmN7yWIxIGMccbL13rOAvarEzgZ
jYyfC24Lbhla38p4JkwWltxPNgsH10wXLGdv+BsiFp8oZUpuAQez0N0SNxhr1mX5
rzZ0fgBEQm7WMmgH9qyLdso1erEQ5sLgPmED5dsaYK2Z2QHBgN19Ed0P1iEZpTdy
anFseTfo00Uts6zOd3loQ/ZeaAOAnYFZwunOtHVurFPyWpAaM1DGVAOHHWtR265d
jQMygOdRmQ5qtV/HpA==
=z0IC
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ