lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20110724103345.GB20396@foo.fgeek.fi> Date: Sun, 24 Jul 2011 13:33:45 +0300 From: Henri Salo <henri@...v.fi> To: Justin Klein Keane <justin@...irish.net> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Drupal Data Module Multiple Vulnerabilities On Wed, Feb 09, 2011 at 12:40:29PM -0500, Justin Klein Keane wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Description of Vulnerability: > > Drupal (http://drupal.org) is a robust content management system (CMS) > written in PHP and MySQL. The Drupal Data module > (http://drupal.org/project/data) "helps you model, manage and query > related sets of tables. It offers an administration interface and a low > level API for manipulating tables and accessing their contents." > > The Data module contains multiple Cross Site Scripting (XSS) > vulnerabilities because it fails to sanitize table descriptions, field > names or labels before display. This results in multiple stored XSS as > well as DOM based XSS vulnerabilities. Drupal site users with the > ability to create or edit tables using the Data module could inject > arbitrary HTML into administrative pages. > > The Data module also contains numerous SQL injection vulnerabilities > because it fails to sanitize values for table names or column names > before invoking SQL statements. This allows users with the ability to > create or edit tables managed by the Data module to perform SQL > injection attacks. > > Systems affected: > > Drupal 6.20 with Data 6.x-1.0-alpha14 was tested and shown to be vulnerable. > > Impact > > User could inject arbitrary scripts into pages affecting site users. > This could result in administrative account compromise leading to web > server process compromise. A more likely scenario would be for an > attacker to inject hidden content (such as iframes, applets, or embedded > objects) that would attack client browsers in an attempt to compromise > site users' machines. This vulnerability could also be used to launch > cross site request forgery (XSRF) attacks against the site that could > have other unexpected consequences. > > Mitigating factors: > > In order to exploit this vulnerability the attacker must have > credentials to an authorized account that has been assigned the > permissions to administer or edit in the Data module. This could be > accomplished via social engineering, brute force password guessing, or > abuse or legitimate credentials. > > Vendor response: > > Drupal security team does not handle issues with pre-release versions of > modules (such as alpha or dev). These issues were reported in the > module's public issue queue (http://drupal.org/node/1056470). > > The text of this advisory has also been posted at > http://www.madirish.net/?article=480 > > - -- > Justin C. Klein Keane > http://www.MadIrish.net Does this issue have CVE-identifier? I can request CVE-identifier if there isn't one. Best regards, Henri Salo _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists