Full Disclosure mailing list archives
Re: Drupal Help Injection Module XSS Vulnerability
From: Mori Sugimoto <foss () diasporan net>
Date: Sun, 28 Feb 2010 01:37:26 +0000
Correction: Drupal Security Team _only_ deals with vulnerability reports that are related to major releases or release candidates. Mori Sugimoto Drupal Security Team On 27/02/2010 23:49, Mori Sugimoto wrote:
This module is still in alpha and not considered suitable for any production environment. Drupal Security Team does not deal with vulnerability reports that are related to major releases or release candidates. Instead we encourage reporters to contact the module maintainers and fix any issue in the public issue queue. Please refer to http://drupal.org/node/475848 for more detail. Mori Sugimoto Drupal Security Team On 17/02/2010 16:29, Justin C. Klein Keane wrote:The full text of this advisory can also be found at http://www.madirish.net/?article=448 Description of Vulnerability: ----------------------------- Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through hundreds of third party modules. The Advanced Help Injection and Export Module (http://drupal.org/project/helpinject) "assists you in writing help texts suitable for use with the Advanced Help module by allowing you to write your help texts in Drupal books." The module suffers from an arbitrary HTML injection vulnerability. Systems affected: ----------------- Drupal 6.15 using Advanced Help 6.x-1.2 and Help Inject 6.x-1.0-alpha6 was tested and shown to be vulnerable. The Advanced Help module is a dependency, but was not tested for vulnerability. Impact ------ Attackers can exploit this vulnerability to escalate privilege and take control of the web server process. Mitigating factors: ------------------- The Advanced Help and Help Inject modules must be installed and enabled. Attacker must have 'create book content' permissions in order to exploit this vulnerability. Only those with the 'inject help' permission are vulnerable, although this includes the site administrator. Proof of concept: ----------------- 1. Install Drupal 6.15. 2. Install Book, Advanced Help and Help Inject and enable all functionality through Administer -> Modules 3. Log in as uid 0 - the admin account 4. Create a book using 'Create content' -> 'Book page' 5. Fill in arbitrary values for the book title 6. Expand the 'Book outline' form and select '<create a new book>' from the 'Book:' select 7. Save the book using the 'Save' button 8. Log out and log in as a user with 'create book content' privilege 9. Click 'Create content' -> 'Book page' 10. Enter "<script>alert('xss');</script>" for the 'Title:' area 11. Expand the 'Book outline' fieldset 12. Select the book created in step 5 from the 'Book:' select item 13. Click the 'Save' button 14. Log out and log in as a user with privileges to 'inject help' 15. Click on any of the Help Inject icons (the little plus in a gray circle) 16. Click the 'Next' button on the 'path granularity' screen 17. Observe the JavaScript alert._______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Drupal Help Injection Module XSS Vulnerability Justin C. Klein Keane (Feb 17)
- Re: Drupal Help Injection Module XSS Vulnerability Mori Sugimoto (Feb 27)
- Re: Drupal Help Injection Module XSS Vulnerability Mori Sugimoto (Feb 27)
- Re: Drupal Help Injection Module XSS Vulnerability Mori Sugimoto (Feb 27)