lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4C1A1C5D.9090408@madirish.net>
Date: Thu, 17 Jun 2010 09:00:13 -0400
From: "Justin C. Klein Keane" <justin@...irish.net>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Drupal FileField Module XSS Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FileField 6.x-3.3 Arbitrary Script Injection Vulnerability

CVE-2010-1958

Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL.  The Drupal FileField module
(http://drupal.org/project/filefield) "provides a universal file upload
field for CCK. It is a robust alternative to core's Upload module and an
absolute must for users uploading a large number of files. Great for
managing video and audio files for podcasts on your own site."  The
FileField module contains a cross site scripting (XSS) vulnerability due
to the fact that it fails to sanitize image filenames before display.

Systems affected:
- -----------------
Drupal 6.16 with CCK 6.x-2.6 and FileField 6.x-3.3 was tested and shown
to be vulnerable.

Impact
- ------
Users who have rights to create content may upload files (including
images) with malicious names that could result in script execution.
This could result in administrative account compromise leading to web
server process compromise.

Mitigating factors:
- -------------------
Attacker must have rights to create content of a type that employs an
FileField CCK element.  This would include most content that had
attachments including imagery, documents, etc.

Additionally, Drupal's file handling must be set to Public in the File
system settings at ?q=admin/settings/file-system.  This is the default
configuration.

Further Details:
- ----------------
Further details about this vulnerability can be found at
http://www.madirish.net/?article=461

Vendor Response:
- ------------------------------------------
Vendor has responded by releasing a fixed version and a detailed
security announcement.  Vendor response is fully detailed in
SA-CONTRIB-2010-066 (http://drupal.org/node/829808)

- -- 
Justin C. Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAkwaHF0ACgkQkSlsbLsN1gC1Nwb+PFlE/a/PtZJdjnI3IO18FzaV
nZkEfBlngdsHZLW+G9qoaXyORZ781uIkRtQJMEQBEKBFWAYfPAuvAk2eq7xxhoZl
X8zrKtJYb7gkWZO+7iBGs0q/ah7FKLCPr578SgMcilCLn7OmjkEFJOqRH0Fb2kVu
beiL3N5vEVI4Qz/qygglMvsFyRm4v22l8SeYKFrs/e7x+NR8puQjVvSeF5dFSQ7x
oqJrdPqD29fO3sfKVR/IqIGwFg+nzLUrvmqT4p7HSsxjbc5IXGRn+MohbRz/RS1C
rzqZI/ytPkuBp2XRqdI=
=EpO+
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ