[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Drupal Help Injection Module XSS Vulnerability
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Drupal Help Injection Module XSS Vulnerability
- From: Mori Sugimoto <foss@xxxxxxxxxxxxx>
- Date: Sun, 28 Feb 2010 01:37:26 +0000
Correction: Drupal Security Team _only_ deals with vulnerability reports
that are related to major releases or release candidates.
Mori Sugimoto
Drupal Security Team
On 27/02/2010 23:49, Mori Sugimoto wrote:
> This module is still in alpha and not considered suitable for any
> production environment. Drupal Security Team does not deal with
> vulnerability reports that are related to major releases or release
> candidates. Instead we encourage reporters to contact the module
> maintainers and fix any issue in the public issue queue. Please refer to
> http://drupal.org/node/475848 for more detail.
>
> Mori Sugimoto
> Drupal Security Team
>
>
>
> On 17/02/2010 16:29, Justin C. Klein Keane wrote:
>
>> The full text of this advisory can also be found at
>> http://www.madirish.net/?article=448
>>
>> Description of Vulnerability:
>> -----------------------------
>> Drupal (http://drupal.org) is a robust content management system (CMS)
>> written in PHP and MySQL that provides extensibility through hundreds of
>> third party modules. The Advanced Help Injection and Export Module
>> (http://drupal.org/project/helpinject) "assists you in writing help
>> texts suitable for use with the Advanced Help module by allowing you to
>> write your help texts in Drupal books." The module suffers from an
>> arbitrary HTML injection vulnerability.
>>
>> Systems affected:
>> -----------------
>> Drupal 6.15 using Advanced Help 6.x-1.2 and Help Inject 6.x-1.0-alpha6
>> was tested and shown to be vulnerable. The Advanced Help module is a
>> dependency, but was not tested for vulnerability.
>>
>> Impact
>> ------
>> Attackers can exploit this vulnerability to escalate privilege and take
>> control of the web server process.
>>
>> Mitigating factors:
>> -------------------
>> The Advanced Help and Help Inject modules must be installed and enabled.
>> Attacker must have 'create book content' permissions in order to
>> exploit this vulnerability. Only those with the 'inject help'
>> permission are vulnerable, although this includes the site administrator.
>>
>> Proof of concept:
>> -----------------
>> 1. Install Drupal 6.15.
>> 2. Install Book, Advanced Help and Help Inject and enable all
>> functionality through Administer -> Modules
>> 3. Log in as uid 0 - the admin account
>> 4. Create a book using 'Create content' -> 'Book page'
>> 5. Fill in arbitrary values for the book title
>> 6. Expand the 'Book outline' form and select '<create a new book>' from
>> the 'Book:' select
>> 7. Save the book using the 'Save' button
>> 8. Log out and log in as a user with 'create book content' privilege
>> 9. Click 'Create content' -> 'Book page'
>> 10. Enter "<script>alert('xss');</script>" for the 'Title:' area
>> 11. Expand the 'Book outline' fieldset
>> 12. Select the book created in step 5 from the 'Book:' select item
>> 13. Click the 'Save' button
>> 14. Log out and log in as a user with privileges to 'inject help'
>> 15. Click on any of the Help Inject icons (the little plus in a gray
>> circle)
>> 16. Click the 'Next' button on the 'path granularity' screen
>> 17. Observe the JavaScript alert.
>>
>>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/