lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 4 Aug 2014 15:31:25 -0600
From: Greg Knaddison <greg.knaddison@...il.com>
To: Ubani Balogun <ubani@....upenn.edu>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Superfish 7.x Minor Cross Site Scripting Vulnerability

Thanks for reporting this bug to the Drupal Security Team and for sharing a
description of it here.

I think the mitigating factors section is a little unclear. I've added some
information about them inline below.

On Mon, Aug 4, 2014 at 12:54 PM, Ubani Balogun <ubani@....upenn.edu> wrote:

>
> Mitigating Factors:
> - -------------------
> A malicious user must have permissions to administer the superfish
> module in order to inject and execute arbitrary script. The
> vulnerability is further mitigated by the fact that the injected
> script is not persistent, thus reducing the impact of the vulnerability.
>

This is a reflected XSS issue that requires a form POST. The malicious
javascript is not stored/persisted. The form POST is protected by a CSRF
token so it cannot be exploited against another person.

Therefore, the attack requires social engineering to trick an admin into
performing XSS against themselves. Given that, there are probably other,
easier ways to trick a Drupal admin into introducing a more persistent
vulnerability into the site. A similar XSS issue exists in nearly all web
applications by social-engineering a site-admin to open the "developer
tools" and paste in some Javascript the way that people have gone after
Facebook:

http://stackoverflow.com/questions/21692646/how-does-facebook-disable-the-browsers-integrated-developer-tools


Regards,
Greg

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists