lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <4E033819.6090702@madirish.net>
Date: Thu, 23 Jun 2011 08:56:57 -0400
From: Justin Klein Keane <justin@...irish.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Drupal Download Count Module XSS Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vulnerability Report

April 4, 2011 14:30 (GMT - 4:00)


Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL.  The Drupal Download Count module
(http://drupal.org/project/download_count) is designed to keep track of
file downloads on Drupal sites.  This module contains multiple cross
site scripting (XSS) vulnerabilities due to the fact that it fails to
sanitize user supplied input before display.  Download Count was
unpublished at version 6.x-1.3 for similar problems (SA-CONTRIB-2010-052
- -http://drupal.org/node/803728).

Systems affected:
- -----------------
Drupal 6.19 with Download Count 6.x-1.5 was tested and shown to be
vulnerable.

Impact
- ------
User could inject arbitrary scripts into pages affecting site users.
This could result in administrative account compromise leading to web
server process compromise.  A more likely scenario would be for an
attacker to inject hidden content (such as iframes, applets, or embedded
objects) that would attack client browsers in an attempt to compromise
site users' machines.  This vulnerability could also be used to launch
cross site request forgery (XSRF) attacks against the site that could
have other unexpected consequences.

Mitigating factors:
- -------------------
In order to exploit this vulnerability the attacker must have
credentials to an authorized account that has been assigned the
permissions to administer download count.  This could be accomplished
via social engineering, brute force password guessing, or abuse or
legitimate credentials.  XSS affects only pages that users with 'view
all downloads count' permission can access (such as site admins).

Proof of Concept:
- -----------------
1.  Install Drupal and Download Count module
2.  Navigate to the Download counter admin page at
?q=admin/settings/download_count
3.  Enter "<script>alert('xss1');</script>" in the 'Title' field
4.  Save the form
5.  View rendered JavaScript at ?q=download_counter

Vendor Response:
- -----------------
"Disable the Download Count module and remove the module from your
filesystem." Ref http://drupal.org/node/1196670

Patch:
- ------------------------------------------
Applying the following patches mitigates these issues in version 6.x-1.5

- --- download_count/download_count.module	2010-05-30 15:40:04.000000000
-0400
+++ download_count/download_count.module	2011-04-04 14:17:43.503554109 -0400
@@ -121,7 +121,7 @@ function download_count_admin_settings()
 }
 function download_count_view_page() {
   global $user;
- -  drupal_set_title(variable_get('download_counter_view_page_title',
t('Download counter')));
+
drupal_set_title(check_plain(variable_get('download_counter_view_page_title',
t('Download counter'))));
   $header[] = array('data' => t('filename'), 'field' => 'filename');
   $header[] = array('data' => t('hits'), 'field' => 'count', 'sort' =>
'desc');
   $header[] = array('data' => t('last download'), 'field' => 'timestamp');
@@ -145,9 +145,9 @@ function download_count_view_page() {
   if (empty($rows)) {
     $rows[] = array(array('data' => t('No file attachment has been
downloaded.'), 'colspan' => '4'));
   }
- -  $output =
check_markup(variable_get('download_counter_view_page_header', ''),
variable_get('download_counter_view_page_format', 0), false);
+  $output =
check_markup(check_plain(variable_get('download_counter_view_page_header',
'')), variable_get('download_counter_view_page_format', 0), false);
   $output .= theme('table', $header, $rows, array('class' =>
'download_count'));
- -  $output .=
check_markup(variable_get('download_counter_view_page_footer', ''),
variable_get('download_counter_view_page_format', 0), false);
+  $output .=
check_markup(check_plain(variable_get('download_counter_view_page_footer',
'')), variable_get('download_counter_view_page_format', 0), false);
   return $output;
 }
 /**

Full details are also available at http://www.madirish.net/?article=492

- -- 
Justin Klein Keane
http://www.MadIrish.net

The digital signature on this e-mail may be confirmed using the
PGP key located at: http://www.madirish.net/gpgkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAk4DOBYACgkQkSlsbLsN1gBNmgb8CtCwY6YhnwYNF/X6UjN453NA
KHFCBNM9ZH7fOrQ6kf+g1UHMO9WHvkzea08iigtFYA3VS0WkHrHccw0+ATYmxfSk
yCoRNez6iK78F4wi7fJTJPNCnoE0L7ogg3AccNDphR1JipNkLtzuOFJMrYGZpZ+y
UEdQS4+SOvqJB19G1PU1uAhtQoj+sqK9DzGdK57eyIkChJjVbQzWpH3Y0LMRz1c/
92qC6sNyipvKv76rX31IzV7Dh+QhDIoNHmmjiDg3jHV8pHP4+hLWLeAdrU3UxQJI
H1QFeDsnBytK0qXZ2Js=
=si5G
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ