[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Drupal Data Module Multiple Vulnerabilities

To: Justin Klein Keane <justin@xxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Drupal Data Module Multiple Vulnerabilities
From: Henri Salo <henri@xxxxxxx>
Date: Sun, 24 Jul 2011 13:33:45 +0300

On Wed, Feb 09, 2011 at 12:40:29PM -0500, Justin Klein Keane wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Description of Vulnerability:
> 
> Drupal (http://drupal.org) is a robust content management system (CMS)
> written in PHP and MySQL. The Drupal Data module
> (http://drupal.org/project/data) "helps you model, manage and query
> related sets of tables. It offers an administration interface and a low
> level API for manipulating tables and accessing their contents."
> 
> The Data module contains multiple Cross Site Scripting (XSS)
> vulnerabilities because it fails to sanitize table descriptions, field
> names or labels before display.  This results in multiple stored XSS as
> well as DOM based XSS vulnerabilities.  Drupal site users with the
> ability to create or edit tables using the Data module could inject
> arbitrary HTML into administrative pages.
> 
> The Data module also contains numerous SQL injection vulnerabilities
> because it fails to sanitize values for table names or column names
> before invoking SQL statements.  This allows users with the ability to
> create or edit tables managed by the Data module to perform SQL
> injection attacks.
> 
> Systems affected:
> 
> Drupal 6.20 with Data 6.x-1.0-alpha14 was tested and shown to be vulnerable.
> 
> Impact
> 
> User could inject arbitrary scripts into pages affecting site users.
> This could result in administrative account compromise leading to web
> server process compromise. A more likely scenario would be for an
> attacker to inject hidden content (such as iframes, applets, or embedded
> objects) that would attack client browsers in an attempt to compromise
> site users' machines. This vulnerability could also be used to launch
> cross site request forgery (XSRF) attacks against the site that could
> have other unexpected consequences.
> 
> Mitigating factors:
> 
> In order to exploit this vulnerability the attacker must have
> credentials to an authorized account that has been assigned the
> permissions to administer or edit in the Data module. This could be
> accomplished via social engineering, brute force password guessing, or
> abuse or legitimate credentials.
> 
> Vendor response:
> 
> Drupal security team does not handle issues with pre-release versions of
> modules (such as alpha or dev). These issues were reported in the
> module's public issue queue (http://drupal.org/node/1056470).
> 
> The text of this advisory has also been posted at
> http://www.madirish.net/?article=480
> 
> - -- 
> Justin C. Klein Keane
> http://www.MadIrish.net

Does this issue have CVE-identifier? I can request CVE-identifier if there 
isn't one.

Best regards,
Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] [Bkis] sNews 1.7.1 XSS vulnerability
Next by Date: [Full-disclosure] [ MDVSA-2011:118 ] wireshark
Previous by thread: Re: [Full-disclosure] [Bkis] sNews 1.7.1 XSS vulnerability
Next by thread: [Full-disclosure] [ MDVSA-2011:118 ] wireshark
Index(es):
- Date
- Thread