[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20110724103345.GB20396@foo.fgeek.fi>
Date: Sun, 24 Jul 2011 13:33:45 +0300
From: Henri Salo <henri@...v.fi>
To: Justin Klein Keane <justin@...irish.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Drupal Data Module Multiple Vulnerabilities
On Wed, Feb 09, 2011 at 12:40:29PM -0500, Justin Klein Keane wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Description of Vulnerability:
>
> Drupal (http://drupal.org) is a robust content management system (CMS)
> written in PHP and MySQL. The Drupal Data module
> (http://drupal.org/project/data) "helps you model, manage and query
> related sets of tables. It offers an administration interface and a low
> level API for manipulating tables and accessing their contents."
>
> The Data module contains multiple Cross Site Scripting (XSS)
> vulnerabilities because it fails to sanitize table descriptions, field
> names or labels before display. This results in multiple stored XSS as
> well as DOM based XSS vulnerabilities. Drupal site users with the
> ability to create or edit tables using the Data module could inject
> arbitrary HTML into administrative pages.
>
> The Data module also contains numerous SQL injection vulnerabilities
> because it fails to sanitize values for table names or column names
> before invoking SQL statements. This allows users with the ability to
> create or edit tables managed by the Data module to perform SQL
> injection attacks.
>
> Systems affected:
>
> Drupal 6.20 with Data 6.x-1.0-alpha14 was tested and shown to be vulnerable.
>
> Impact
>
> User could inject arbitrary scripts into pages affecting site users.
> This could result in administrative account compromise leading to web
> server process compromise. A more likely scenario would be for an
> attacker to inject hidden content (such as iframes, applets, or embedded
> objects) that would attack client browsers in an attempt to compromise
> site users' machines. This vulnerability could also be used to launch
> cross site request forgery (XSRF) attacks against the site that could
> have other unexpected consequences.
>
> Mitigating factors:
>
> In order to exploit this vulnerability the attacker must have
> credentials to an authorized account that has been assigned the
> permissions to administer or edit in the Data module. This could be
> accomplished via social engineering, brute force password guessing, or
> abuse or legitimate credentials.
>
> Vendor response:
>
> Drupal security team does not handle issues with pre-release versions of
> modules (such as alpha or dev). These issues were reported in the
> module's public issue queue (http://drupal.org/node/1056470).
>
> The text of this advisory has also been posted at
> http://www.madirish.net/?article=480
>
> - --
> Justin C. Klein Keane
> http://www.MadIrish.net
Does this issue have CVE-identifier? I can request CVE-identifier if there isn't one.
Best regards,
Henri Salo
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists