[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAANPUChxjp2tJgJFup7vV+0-Dz-vxpsb23P2Lty1TE_=ZOPCDg@mail.gmail.com>
Date: Wed, 14 Aug 2013 08:00:39 -0600
From: Greg Knaddison <greg.knaddison@...il.com>
To: "Justin C. Klein Keane" <justin@...irish.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Drupal core XSS vulnerability
Thanks to Justin for identifying and describing this issue.
With a little more detail inline.
On Wed, Aug 14, 2013 at 7:33 AM, Justin C. Klein Keane
<justin@...irish.net> wrote:
<snip>
> Mitigating factors:
> - -------------------
> In order to inject arbitrary script malicious attackers must have the
> ability to manipulate module .info files on a site filesystem, perhaps
> via permissions misconfiguration,
It feels unclear to me if the permissions mentioned here are Drupal
permissions or others. So, to be clear, this would require server file
permission misconfiguration. The info files are placed in the same
directories as php code. For this vulnerability to be significant it
would require permissions like:
-rw-rw-rw- 1 deployuser deployuser 243 Jan 7 2013 machine_name.info
-rw-rw-r-- 1 deployuser deployuser 434 Jan 7 2013 machine_name.install
-rw-rw-r-- 1 deployuser deployuser 3802 Jan 7 2013 machine_name.module
Or maybe:
-rw-rw-r-- 1 deployuser somegroup 243 Jan 7 2013 machine_name.info
-rw-r--r-- 1 deployuser somegroup 434 Jan 7 2013 machine_name.install
-rw-r--r-- 1 deployuser somegroup 3802 Jan 7 2013 machine_name.module
In the first scenario the attacker would just need a shell on the
server. In the second scenario the attacker would need a shell on the
server and membership in somegroup.
<snip>
> feels this issue is already public (https://drupal.org/node/637538),
> however the public discussion only concerns the development of the
> next major release of Drupal - Drupal 8. There is no mention in the
> public discussion, of the fact that this issue faces both current
> supported release versions (Drupal 7 and Drupal 6) and likely previous
> releases.
I updated that issue to include Drupal 7 and Drupal 6 mentions.
It's true this affects previous releases, but previous releases are
explicitly EOL and full of holes that are not documented.
* Drupal 5 EOL Announcement: https://drupal.org/node/1027214
* Drupal 4.7 EOL Announcement: https://drupal.org/node/225729
Regards,
Greg
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists