| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Jun 2010 09:00:13 -0400 From: "Justin C. Klein Keane" <justin@...irish.net> To: full-disclosure <full-disclosure@...ts.grok.org.uk> Subject: Drupal FileField Module XSS Vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 FileField 6.x-3.3 Arbitrary Script Injection Vulnerability CVE-2010-1958 Description of Vulnerability: - ----------------------------- Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal FileField module (http://drupal.org/project/filefield) "provides a universal file upload field for CCK. It is a robust alternative to core's Upload module and an absolute must for users uploading a large number of files. Great for managing video and audio files for podcasts on your own site." The FileField module contains a cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize image filenames before display. Systems affected: - ----------------- Drupal 6.16 with CCK 6.x-2.6 and FileField 6.x-3.3 was tested and shown to be vulnerable. Impact - ------ Users who have rights to create content may upload files (including images) with malicious names that could result in script execution. This could result in administrative account compromise leading to web server process compromise. Mitigating factors: - ------------------- Attacker must have rights to create content of a type that employs an FileField CCK element. This would include most content that had attachments including imagery, documents, etc. Additionally, Drupal's file handling must be set to Public in the File system settings at ?q=admin/settings/file-system. This is the default configuration. Further Details: - ---------------- Further details about this vulnerability can be found at http://www.madirish.net/?article=461 Vendor Response: - ------------------------------------------ Vendor has responded by releasing a fixed version and a detailed security announcement. Vendor response is fully detailed in SA-CONTRIB-2010-066 (http://drupal.org/node/829808) - -- Justin C. Klein Keane http://www.MadIrish.net The digital signature on this message can be confirmed using the public key at http://www.madirish.net/gpgkey -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iPwEAQECAAYFAkwaHF0ACgkQkSlsbLsN1gC1Nwb+PFlE/a/PtZJdjnI3IO18FzaV nZkEfBlngdsHZLW+G9qoaXyORZ781uIkRtQJMEQBEKBFWAYfPAuvAk2eq7xxhoZl X8zrKtJYb7gkWZO+7iBGs0q/ah7FKLCPr578SgMcilCLn7OmjkEFJOqRH0Fb2kVu beiL3N5vEVI4Qz/qygglMvsFyRm4v22l8SeYKFrs/e7x+NR8puQjVvSeF5dFSQ7x oqJrdPqD29fO3sfKVR/IqIGwFg+nzLUrvmqT4p7HSsxjbc5IXGRn+MohbRz/RS1C rzqZI/ytPkuBp2XRqdI= =EpO+ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists