lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 14 Aug 2013 08:00:39 -0600
From: Greg Knaddison <greg.knaddison@...il.com>
To: "Justin C. Klein Keane" <justin@...irish.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Drupal core XSS vulnerability

Thanks to Justin for identifying and describing this issue.

With a little more detail inline.

On Wed, Aug 14, 2013 at 7:33 AM, Justin C. Klein Keane
<justin@...irish.net> wrote:
<snip>
> Mitigating factors:
> - -------------------
> In order to inject arbitrary script malicious attackers must have the
> ability to manipulate module .info files on a site filesystem, perhaps
> via permissions misconfiguration,

It feels unclear to me if the permissions mentioned here are Drupal
permissions or others. So, to be clear, this would require server file
permission misconfiguration. The info files are placed in the same
directories as php code. For this vulnerability to be significant it
would require permissions like:

-rw-rw-rw-  1 deployuser  deployuser    243 Jan  7  2013 machine_name.info
-rw-rw-r--  1 deployuser  deployuser    434 Jan  7  2013 machine_name.install
-rw-rw-r--  1 deployuser  deployuser   3802 Jan  7  2013 machine_name.module

Or maybe:

-rw-rw-r--  1 deployuser  somegroup    243 Jan  7  2013 machine_name.info
-rw-r--r--  1 deployuser  somegroup    434 Jan  7  2013 machine_name.install
-rw-r--r--  1 deployuser  somegroup   3802 Jan  7  2013 machine_name.module

In the first scenario the attacker would just need a shell on the
server. In the second scenario the attacker would need a shell on the
server and membership in somegroup.

<snip>

> feels this issue is already public (https://drupal.org/node/637538),
> however the public discussion only concerns the development of the
> next major release of Drupal - Drupal 8.  There is no mention in the
> public discussion, of the fact that this issue faces both current
> supported release versions (Drupal 7 and Drupal 6) and likely previous
> releases.

I updated that issue to include Drupal 7 and Drupal 6 mentions.

It's true this affects previous releases, but previous releases are
explicitly EOL and full of holes that are not documented.
* Drupal 5 EOL Announcement: https://drupal.org/node/1027214
* Drupal 4.7 EOL Announcement: https://drupal.org/node/225729

Regards,
Greg

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists