[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <9B9E7EA67E1B1342B2D25F3FD1B32930037FC17B@BE35.exg3.exghost.com>
Date: Tue, 27 Apr 2010 15:21:30 -0400
From: "Larry Seltzer" <larry@...ryseltzer.com>
To: "Justin C. Klein Keane" <justin@...irish.net>,
<full-disclosure@...ts.grok.org.uk>
Subject: Re: XSS in Drupal Better Formats Module
You need admin privileges for it. It's not a vulnerability, it's a
feature.
-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Justin
C. Klein Keane
Sent: Tuesday, April 27, 2010 3:07 PM
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] XSS in Drupal Better Formats Module
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
I did not apply for a CVE identifier because there are folks who would
argue that the conditions described below do not qualify as a
"vulnerability." I must confess I'm ignorant of the CVE guidelines
surrounding such a situation. Any further information or clarification
would be greatly appreciated.
Justin C. Klein Keane
http://www.MadIrish.net
The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey
On 04/27/2010 01:09 PM, Henri Salo wrote:
> On Tue, 27 Apr 2010 12:07:17 -0400
> "Justin C. Klein Keane" <justin@...irish.net> wrote:
>
> Description of Vulnerability:
> -----------------------------
> Drupal (http://drupal.org) is a robust content management system (CMS)
> written in PHP and MySQL. The Drupal Better Formats module
> (http://drupal.org/project/better_formats) contains a cross site
> scripting (XSS) vulnerability due to the fact that it fails to
> sanitize format names before display.
>
> Systems affected:
> -----------------
> Drupal 6.16 with Better Formats 6.x-1.2 was tested and shown to be
> vulnerable
>
> Impact
> ------
> User could inject arbitrary scripts into pages affecting site users.
> This could result in administrative account compromise leading to web
> server process compromise.
>
> Mitigating factors:
> -------------------
> In order to execute arbitrary script injection malicious users must
> have 'Administer filters' permission. The Drupal security team has
> classified vulnerabilities that require this permission
> (http://drupal.org/node/475848) as "display bugs" because access to
> this permission allows for alteration of input specifications that
> could allow users with permissions to create content to craft
> arbitrary PHP. However, in a situation where a user had "administer
> filters" permission but could not create content this vulnerability
> could be used to attack other Drupal users.
>
> Patch:
> ------------------------------------------
> Applying the following patch mitigates this issue in version 6.x-1.2.
>
> --- better_formats/better_formats.module 2010-02-05
> 08:59:18.000000000 -0500
> +++ better_formats/better_formats.module 2010-04-27
> 11:35:53.444189426 -0400 @@ -537,7 +537,7 @@ function
> better_formats_filter_form($val
>
> $form = array(
> '#type' => 'fieldset',
> - '#title' => $fieldset_title,
> + '#title' => check_plain($fieldset_title),
> '#collapsible' => $collapsible,
> '#collapsed' => $collapsed,
> '#weight' => $weight,
> @@ -551,7 +551,7 @@ function better_formats_filter_form($val
> $parents_for_id = array_merge($parents,
> array($format->format)); $form[$format->format] = array(
> '#type' => 'radio',
> - '#title' => $format->name,
> + '#title' => check_plain($format->name),
> '#default_value' => $default,
> '#return_value' => $format->format,
> '#parents' => $parents,
>
> Have you requested CVE-identifier for this vulnerability?
> ---
> Henri Salo
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iPwEAQECAAYFAkvXNdUACgkQkSlsbLsN1gDrdAb/ZauQapPp4xQ25ACnNrEPHU+8
hKoAmpX3fE5Vfwd86ybEZxyXwks0Lj6YXtGcoYzzkNCsmRCLQC1xhw00RlAHiHEp
hTp2gukgdi67KJsRRhoKHV5IKl99uetF/Z7KO6DUkN9v9N33ss/L4JlSn+MQf3Hg
F3zSTvVMudv38+hSGVagOcNRh03iyeAbvG9VqkpKOhRJJ0NlNCa0qizDXRDDvgF3
R/nXKIOkpCUtdCPo9sDdEZzaEQwZlgzRD78E//NJwkKaaBUQeNylCPL3GDRsywYf
K2pPUCdVGEnqsxoEwnY=
=+rXU
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists