lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 04 Aug 2014 14:54:47 -0400
From: Ubani Balogun <>
Subject: [FD] Superfish 7.x Minor Cross Site Scripting Vulnerability

Hash: SHA1

Superfish 7.x-1.9 Cross Site Scripting Vulnerability

Author: Ubani A Balogun <>
Reported: June 25, 2014

Product Description:
- --------------------
Superfish integrates jQuery Superfish plugin with your Drupal menus.

Description of Vulnerability:
- -----------------------------
Superfish suffers from a minor Cross Site Scripting vulnerability due
to its failure to sanitize error messages before displaying them using
the Drupal form_set_error function on the module configuration page.

System impacted:
- ----------------
Superfish 7.x-1.9 was tested on Drupal 7.28 using the Mozilla Firefox
29.0 browser and found to be vulnerable.

- -------
Users with the permission to administer the superfish module can
inject arbitrary script via the module configuration form that
executes if form validation fails.

Mitigating Factors:
- -------------------
A malicious user must have permissions to administer the superfish
module in order to inject and execute arbitrary script. The
vulnerability is further mitigated by the fact that the injected
script is not persistent, thus reducing the impact of the vulnerability.

Proof of Concept:
- -----------------
1. Install and enable Superfish 7.x-1.9 on Drupal 7.28
2. Navigate to the superfish administration page at
3. Replace the contents of the text area "Path to Superfish library"
with: "<script>alert('XSS')</script>" (excluding quotes)
4. Click save configuration. Form validation fails, but a javascript
alert box with text "XSS" pops up

- ------
The following patch mitigates the vulnerability

- ---	2014-06-25 13:23:30.274737050 -0400
+++	2014-06-25 13:26:59.542740204 -0400
@@ -107,7 +107,7 @@ function superfish_admin_settings_valida
       else {
         $error_message = t('File not found') . ': ' . $error[0];
- -      form_set_error('superfish_slp', $error_message);
+      form_set_error('superfish_slp', check_plain($error_message));

Vendor Response:
- ----------------
The Drupal security team has acknowledged the existence of the
vulnerability and will be addressing the issue publicly. Due to the
low exploitability of the vulnerability, a patch will be released at
the module maintainer's earliest convenience.

- -- 
Ubani Anthony Balogun
Information Security and Unix Services
University of Pennsylvania
School of Arts and Sciences
3600 Market St.
Suite 501
Philadelphia, PA 19104
Version: GnuPG v1


Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists