[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Drupal 5.x, 6.x <= Stored Cross Site Scripting Vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Drupal security has been aware of this issue for quite some time now.
But basically, as their response indicates, you need admin access to
exploit these issues.  However, if you have admin access you can execute
PHP and basically do anything you want.  Your vulnerability hinges on
being able to bypass the CSRF security in place in Drupal.  Seems like a
bit of a stretch to release this as an advisory.  Why not include the
fact that if you can bypass the CSRF detection you can also execute
arbitrary code with the privileges of the web server?

Justin C. Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey

On 01/13/2011 02:43 PM, YGN Ethical Hacker Group wrote:
> ==========================================================================
> Drupal 5.x, 6.x  <= Stored Cross Site Scripting Vulnerability
> ==========================================================================
> 
> 
> 1. OVERVIEW
> 
> Drupal 5.x and 6.x are currently vulnerable to Stored Cross Site Scripting.
> 
> 
> 2. BACKGROUND
> 
> Drupal is a free software package that allows anyone to easily
> publish, manage and organize a wide variety of content on a website.
> Hundreds of thousands of people and organizations are using Drupal to
> power an endless variety of sites.
> 
> 
> 3. VULNERABILITY DESCRIPTION
> 
> The 'site_footer', 'name', 'explanation' parameters are not properly
> sanitized in administration backend of Drupal 5.x and 6.x versions,
> which could allow attackers to conduct stored cross site scripting
> attacks.
> 
> 
> 4. VERSIONS AFFECTED
> 
> The vulnerability was tested in Drupal version 5.23 and 6.20,
> currently latest versions of 5.x and 6.x families.
> The recent released version Drupal 7 seems to be not vulnerable.
> 
> 
> 5. PROOF-OF-CONCEPT/EXPLOIT
> 
> => XSS in Footer (parameter: site_footer, module: system, url:
> admin/settings/site-information)
> 
> The 'site_footer' parameter is not properly sanitized at site
> information page (admin/settings/site-information)
> and XSS payload can be set as footer text.
> XSS will execute after "Administration theme" (url:
> admin/settings/admin) is set to Marvin, and Chamelon.
> 
> 
> => XSS in Role (parameter: name, module: role, url: admin/user/roles)
> 
> The 'name' parameter is not properly sanitized and XSS payload can be
> set as a role name.
> This will affect in administration pages as well as user registration
> page if the role is set to be shown.
> 
> 
> => XSS in Profile (parameter: explanation, module: profile, url:
> admin/user/profile)
> 
> The 'explanation' parameter is not properly sanitized when adding new
> 
>     * single-line textfield
>     * multi-line textfield
>     * checkbox
>     * list selection
>     * freeform list
>     * URL
>     * date
>       
> XSS can be executed in user registration page, user profile, and
> member list pages if it is set to be visible.
> 
> 
> See:
> http://attacker.in/drupal6/
> http://attacker.in/drupal6/user/register
> http://attacker.in/drupal6/user/[ID]/edit/xss
> 
> 
> 6. IMPACT
> 
> This XSS attack can be directly conducted on drupal sites where
> anti-csrf form_token check is disabled.
> If it is enabled, attacker must find ways to bypass anti-csrf token
> using revolutionary or traditional methods.
> After compromising it, attackers can plant persistent XSS backdoors in
> user registration page,user profile page, member list pages, user
> roles and profile settings pages of administration backend.
> 
> 
> 7. SOLUTION
> 
> Upgrade to Drupal 7.
> Lock down access to administration backend.
> Disable Full HTML formatting for sites that allow public user registration.
> 
> 
> 8. VENDOR
> 
> Drupal Development Team
> http://drupal.org
> 
> 
> 9. CREDIT
> 
> This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
> Ethical Hacker Group, Myanmar.
> 
> 
> 10. DISCLOSURE TIME-LINE
> 
> 2010-12-30: notified vendor
> 2010-12-31: vendor replied 'not considered as vulnerabilities'
> 2011-01-14: vulnerability disclosed
> 
> 
> 11. VENDOR RESPONSE
> 
>> The issues you report are not considered security vulnerabilities since 
>> advanced permissions
>> (which in and of themselves would allow malicious users to take over a site) 
>> are required
>> in order to exploit them. For the issues you reported, "administer site 
>> configuration" is required to
>> edit the site footer message, and "administer users" is required to add/edit 
>> role names and profile fields.
>>
>> See the section "What About Vulnerabilities Which Require Advanced 
>> Permissions?" in
>> http://drupal.org/security-advisory-policy for additional information.
> 
> 
> 12. REFERENCES
> 
> Original Advisory URL: http://yehg.net/lab/pr0js/advisories/
> About Drupal: http://drupal.org/about
> Drupal Security Policy: http://drupal.org/security-advisory-policy
> Disabling Form Token Check: http://data.agaric.com/node/2343
> Anti-CSRF measures and XSS:
> http://nileshkumar83.blogspot.com/2010/07/anti-csrf-measures-and-xss.html
> Bypassing CSRF protections:
> http://blog.andlabs.org/2010/03/bypassing-csrf-protections-with.html
> Defeating Anti-CSRF XSS:
> http://stephensclafani.com/2009/05/26/exploiting-unexploitable-xss/
> Defeating Anti-CSRF XSS:
> http://kuza55.blogspot.com/2008/02/exploiting-csrf-protected-xss.html
> 
> #yehg [2011-01-14]
> 
> 
> 
> ---------------------------------
> Best regards,
> YGN Ethical Hacker Group
> Yangon, Myanmar
> http://yehg.net
> Our Lab | http://yehg.net/lab
> Our Directory | http://yehg.net/hwd
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAk0vYGcACgkQkSlsbLsN1gAgPAb/aoc+hq2xrfjpk8Me6oMqiK8J
VX4rUfH6ibVsPJQkLqIl3s6LCdLEVaxb2XuY019SXpk/Ud6Anb0IT6uOrIrvtriB
vxfjXn6pJ/Eb0e0YErSQ5abZRUU4yIBKeGbRg1GJoF9zrGk6ZSMIijHJ/yX5P0OF
azY6VQUVu1gnAQqsV6gx1FiuYJpBSBT3YY/oEzCT7GGFtWkAGm3SFE5NV5nSEb7l
dCLadPUnff1xzZ5RWD9A4SCTkOzSGxP11F59H7G6BBvcqyfm07Y0wLIB+Z3ecMFH
WY/ajUivnI1ODQ5F9Vk=
=jivE
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/