[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Drupal Protected Node Module XSS Vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Version Tested:  5.x-1.3 on Drupal 5.15

The Drupal Protected Node module
(http://drupal.org/project/protected_node) is designed to restrict
access to nodes using passwords.  When nodes are created they can be
protected by selecting 'protected node' and specifying a password.
Users attempting to access the node must then enter a password in order
to access the node.  Details of this vulnerability can also be found at
http://lampsecurity.org/node/28.

The Protected Node module fails to properly sanitize user input
specified in the 'Password page info' input specified in Administer ->
Site Configuration -> Protected Node.  Users with the 'administer site
configuration' permission can access this page.

Steps to reproduce the exploit:

1.  Enable the Protected Node module
2.  Set permissions (Administer -> User Management) so anonymous users
can access protected content in the protected_node module section
3.  Click Administer -> Site Configuration -> Protected node
4.  Enter the value <script>alert('xss');</script> into the 'Password
page info' textarea
5.  Create a new piece of content
6.  In the 'Protected node' section on the content creation screen check
the 'Node is protected' checkbox and enter a password.
7.  Save the content.
8.  Log out and view the content to trigger the JavaScript


Technical details:

This vulnerability is introduced by a failure to sanitize user input as
it is being displayed in the protected_node_enterpassword() funciton in
protected_node.module.  Lines 272-274 prints out the user supplied text
using the statement:

$form['protected_node'] = array(
  '#value' => $info
);

The $info variable should be sainitized using check_plain() or similar
function in order to prevent the XSS vulnerability.

Drupal security (http://drupal.org/security) team and module maintainer
have been notified.

- --
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQD1AwUBSagRtJEpbGy7DdYAAQJuYwcAjhDPxL2rYb9epxZ5J55kslSVYC0tMxaR
89AtwVC7NqXZ6fn9XH1vn71jw1qCNp6xnyNUgmlZDFmKs11Q3iTHgS5O2pWOiu8E
SUwPqguqRlx6QgQRtsJaKnS0zAFHWWc2i/jZWeHwkucf3LgJkYcEC4T/p8rRDjp3
wM0KdJnhbqC4/D8jSPAD3Ila8CRci9uoWwyGM6O4YtNQ/sxjtSHVC2ngmG3q2jTc
JRZtMsmiAgyj4CxCY3cbcAEFTDowredqt0283Y8s+qOxKwXlDZMeoKpRfyGK2FO2
IPLhieMuPdc=
=xS7G
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/