| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 28 Mar 2012 18:40:59 -0400
From: "Justin C. Klein Keane" <justin@...irish.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [Security-news] SA-CONTRIB-2012-051 -
Activity - Multiple Vulnerablities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Exploit for bespoke:
* Install and enable the Activity and Flag modules
* Add a new Flag with an arbitrary name at ?q=admin/build/flags/add
* On the resulting page (?q=admin/build/flags/add/node/[name]) enter
"<script>alert('xss');</script>" for the flag Title
* View the rendered Javascript at /?q=admin/settings/activity/flagactivity
* As above
* Alter the "Comment: Insert:" field in the "Message visible to the
"All" role" fieldgroup at ?q=admin/settings/activity/commentactivity
to insert the text "<script>alert('xss');</script>"
* Move the "Activity (All): show all recent activity" block to a
visible content region at ?q=admin/build/block
* Create a story at ?q=node/add/story
* Log out
* As anonymous user add a comment at ?q=comment/reply/X#comment-form
where X is the nid of the story from step #4
* Submit the comment to view the rendered JavaScript alert in the
Activity block or log back in to see the JavaScript at ?q=activity
Patch:
The following patch mitigates the above vulnerabilities.
- --- activity/activity.module 2009-04-26 21:45:25.000000000 -0400
+++ activity.fixed/activity.module 2012-01-26 06:34:56.014821191 -0500
@@ -311,7 +311,7 @@ function activity_module_settings(&$form
'#type' => 'checkboxes',
'#title' => t('Token types'),
'#description' => t('Select the token types that you wish to
record activity from.'),
- - '#options' => $info['types'],
+ '#options' => array_map("filter_xss", $info['types']),
'#default_value' => variable_get($module .'_token_types',
array_keys($info['types'])),
'#attributes' => array('class' => 'activity-token-types'),
);
@@ -350,7 +350,7 @@ function activity_module_settings(&$form
if (count($types) > 1) {
$form[$module][$role_name][$type_name] = array(
'#type' => 'fieldset',
- - '#title' => t($type),
+ '#title' => filter_xss(t($type)),
'#collapsible' => TRUE,
'#collapsed' => TRUE,
);
@@ -1034,7 +1034,7 @@ function activity_token_replace($activit
activity_invoke_activityapi($activity, 'render');
$message = token_replace($pattern, $module, $data);
$message = token_replace($message, 'activity', $data);
- - return $message;
+ return filter_xss($message);
}
}
Justin Klein Keane
http://www.MadIrish.net
On 03/28/2012 04:29 PM, security-news@...pal.org wrote:
> * Advisory ID: DRUPAL-SA-CONTRIB-2012-051 * Project: Activity [1]
> (third-party module) * Version: 6.x * Date: 2012-March-28 *
> Security risk: Moderately critical [2] * Exploitable from: Remote *
> Vulnerability: Cross Site Scripting, Cross Site Request Forgery
>
> -------- DESCRIPTION
> ---------------------------------------------------------
>
> The Activity module keeps track of the things people do on your
> site and provides mini-feeds of these activities in blocks, in a
> specialized table, and via RSS. The module is extensible so that
> any other module can integrate with it. The messages that are
> produced are customizable via the admin interface and are context
> sensitive.
>
> The 6.x-1.x branch of the module does not filter output of the
> module settings correctly leading to a cross site scripting
> vulnerability (XSS). It also does not confirm user intent when
> removing a single activity resulting in a cross site request
> forgery vulnerability.
>
> The XSS vulnerability is mitigated by the fact that it requires the
> malicious user to have a role with the "access administration
> pages" and "administer activity" permissions.
>
> -------- VERSIONS AFFECTED
> ---------------------------------------------------
>
> * All releases of the 6.x-1.x branch
>
> Drupal core is not affected. If you do not use the contributed
> Activity [3] module, there is nothing you need to do.
>
> -------- SOLUTION
> ------------------------------------------------------------
>
> Install the latest version:
>
> * The 6.x-1.x branch of this module is no longer supported. Upgrade
> to 6.x-2.0-alpha1 [4]
>
> Note that there is currently no upgrade path. Users of the module
> are encouraged to work in the module queue to help build an upgrade
> path. Also see the Activity [5] project page.
>
> -------- REPORTED BY
> ---------------------------------------------------------
>
> * Ivo Van Geertruyen [6] of the Drupal Security Team
>
> -------- COORDINATED BY
> ------------------------------------------------------
>
> * Michael Hess [7] of the Drupal Security Team * Greg Knaddison [8]
> of the Drupal Security Team
>
> -------- CONTACT AND MORE INFORMATION
> ----------------------------------------
>
> The Drupal security team can be reached at security at drupal.org
> or via the contact form at http://drupal.org/contact [9].
>
> Learn more about the Drupal Security team and their policies [10],
> writing secure code for Drupal [11], and securing your site [12].
>
>
> [1] http://drupal.org/project/activity [2]
> http://drupal.org/security-team/risk-levels [3]
> http://drupal.org/project/activity [4]
> http://drupal.org/node/944146 [5]
> http://drupal.org/project/activity [6]
> http://drupal.org/user/383424 [7] http://drupal.org/user/102818 [8]
> http://drupal.org/user/36762 [9] http://drupal.org/contact [10]
> http://drupal.org/security-team [11]
> http://drupal.org/writing-secure-code [12]
> http://drupal.org/security/secure-configuration
>
> _______________________________________________ Security-news
> mailing list Security-news@...pal.org
> http://lists.drupal.org/mailman/listinfo/security-news
>
> _______________________________________________ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iPwEAQECAAYFAk9zk3sACgkQkSlsbLsN1gDgdAb+MocrDc6H7WlWnVIstWZ789HX
YiEghVeylWjGvarEN2sLytvIXoA2XvDcCl2y6dSwc7VawlaI3rgT8OXn5981jqfv
bwDA7b59po+98L11YjBbF1glLox5Xp/X+XGC/dLb64NKAl9DzB4t9Uxfo5YfHIvk
JVaqzSQxSQVGQ0aTICe4k1hwkSdOBCN5rCq7LU2Ms1R0vyATUNfQKPIbqRpO3GfP
ccQ5IRuZ+k5x7FlGlg1eZ0+h3KOlOvCZ+movFf5jsxAwnmQoTeF0zd4JuMzAmvYq
QHxXwWLzA7BdY5ijpH0=
=EgBQ
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists