[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Drupal Help Injection Module XSS Vulnerability



Correction: Drupal Security Team _only_ deals with vulnerability reports
that are related to major releases or release candidates.

Mori Sugimoto
Drupal Security Team



On 27/02/2010 23:49, Mori Sugimoto wrote:
> This module is still in alpha and not considered suitable for any
> production environment. Drupal Security Team does not deal with
> vulnerability reports that are related to major releases or release
> candidates. Instead we encourage reporters to contact the module
> maintainers and fix any issue in the public issue queue. Please refer to
> http://drupal.org/node/475848 for more detail.
>
> Mori Sugimoto
> Drupal Security Team
>
>
>
> On 17/02/2010 16:29, Justin C. Klein Keane wrote:
>   
>> The full text of this advisory can also be found at
>> http://www.madirish.net/?article=448
>>
>> Description of Vulnerability:
>> -----------------------------
>> Drupal (http://drupal.org) is a robust content management system (CMS)
>> written in PHP and MySQL that provides extensibility through hundreds of
>> third party modules.  The Advanced Help Injection and Export Module
>> (http://drupal.org/project/helpinject) "assists you in writing help
>> texts suitable for use with the Advanced Help module by allowing you to
>> write your help texts in Drupal books."  The module suffers from an
>> arbitrary HTML injection vulnerability.
>>
>> Systems affected:
>> -----------------
>> Drupal 6.15 using Advanced Help 6.x-1.2 and Help Inject 6.x-1.0-alpha6
>> was tested and shown to be vulnerable.  The Advanced Help module is a
>> dependency, but was not tested for vulnerability.
>>
>> Impact
>> ------
>> Attackers can exploit this vulnerability to escalate privilege and take
>> control of the web server process.
>>
>> Mitigating factors:
>> -------------------
>> The Advanced Help and Help Inject modules must be installed and enabled.
>>  Attacker must have 'create book content' permissions in order to
>> exploit this vulnerability.  Only those with the 'inject help'
>> permission are vulnerable, although this includes the site administrator.
>>
>> Proof of concept:
>> -----------------
>> 1.  Install Drupal 6.15.
>> 2.  Install Book, Advanced Help and Help Inject and enable all
>> functionality through Administer -> Modules
>> 3.  Log in as uid 0 - the admin account
>> 4.  Create a book using 'Create content' -> 'Book page'
>> 5.  Fill in arbitrary values for the book title
>> 6.  Expand the 'Book outline' form and select '<create a new book>' from
>> the 'Book:' select
>> 7.  Save the book using the 'Save' button
>> 8.  Log out and log in as a user with 'create book content' privilege
>> 9.  Click 'Create content' -> 'Book page'
>> 10.  Enter "<script>alert('xss');</script>" for the 'Title:' area
>> 11.  Expand the 'Book outline' fieldset
>> 12.  Select the book created in step 5 from the 'Book:' select item
>> 13.  Click the 'Save' button
>> 14.  Log out and log in as a user with privileges to 'inject help'
>> 15.  Click on any of the Help Inject icons (the little plus in a gray
>> circle)
>> 16.  Click the 'Next' button on the 'path granularity' screen
>> 17.  Observe the JavaScript alert.
>>
>>     
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/