[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Drupal Viewfield Module XSS Vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes, it's yet another CCK related module with XSS vulnerabilities.  It's
lame, but it should be reported since the Drupal security team has
already made an announcement about the issue in these modules.  Drupal
security and module maintainer have been notified.  Details can also be
found at http://www.lampsecurity.org/node/20.

The Drupal Viewfield module (http://drupal.org/project/viewfield) is
designed to allow the creation of nodes that display views and is
vulnerable to cross site scripting attacks.  Version 5.x-1.5 was tested
and found vulnerable, but other versions may be affected.  This problem
is related to SA-CORE-2009-002 (http://drupal.org/node/372836).  The
problem occurs when an administrator creates a new content type using
CCK and then adds or edits a view field for the new content type.  Users
authorized to administer content types can configure this field with
malicious code in the "Help text:" area.  Input to this field is not
properly sanitized and JavaScript can be executed while attempting to
create new content that includes the link field, or while configuring
the link field.

Here are the steps involved in reproducing this issue:


1.  Log in as a user with 'Administer content types' privilege
2.  Click Administer -> Content Types
3.  Click 'Add content type'
4.  Fill in required text in the Identification, Submission and other
fieldsets
5.  Click 'Save content type' button
6.  Click 'edit' under the Operations column on the 'Administer' ->
'Content management' screen for the new content type
7.  Click 'Add field'
8.  Fill in the 'Name' text box in the 'Create new field' fieldset and
select the 'View' radio button
9.  Click the 'Create field' button
10.  In the next screen (assuming the new field was named 'test' and the
new type was named 'test' this will be in Home > Administer > Content
management > Content types > test) find the 'Widget settings' filedset
11.  Under "Help text:" enter <script>alert("xss");</script>
12.  Click 'Save field settings' button
13.  Click 'configure' under the Operations column for the View field OR
click Create content and then choose the content type you  created in
the previous steps to trigger the JavaScript.

- --
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQD1AwUBSaaxipEpbGy7DdYAAQL38Qb/UdUjLby/IgNk8RUwF2d63uYfwfy1G6rn
vyuiGvpcOOz0y/iBmSs64UUSAPS55kYe4VQm9WXXMSQVfeBPuPnVACS8aGFmmCuX
ZZXSE+wRYq1NlXw2L2tOw2br/rszm+DK4TREPkVYiBDpKbfMAuiGjBP9RQQunhqD
+itxAvhspCjECOTfmE6s0PUXclC9Ypc2w9ow7a4yua5tmT2MntPjM1ByvXbldeNl
O9S8O0D8DauoCxieKRMQWusdnh1yG7zMmSGUXOtkIAdGaRkTQ8JHKdQqKt8923hN
3fbz9oU7bV8=
=wH4k
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/