Superfish 7.x Minor Cross Site Scripting Vulnerability

[Ubani Balogun <ubani () sas upenn edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Superfish 7.x-1.9 Cross Site Scripting Vulnerability
====================================================

Author: Ubani A Balogun <ubani () sas upenn edu>
Reported: June 25, 2014

Product Description:
- --------------------
Superfish integrates jQuery Superfish plugin with your Drupal menus.

Description of Vulnerability:
- -----------------------------
Superfish suffers from a minor Cross Site Scripting vulnerability due
to its failure to sanitize error messages before displaying them using
the Drupal form_set_error function on the module configuration page.

System impacted:
- ----------------
Superfish 7.x-1.9 was tested on Drupal 7.28 using the Mozilla Firefox
29.0 browser and found to be vulnerable.

Impact:
- -------
Users with the permission to administer the superfish module can
inject arbitrary script via the module configuration form that
executes if form validation fails.

Mitigating Factors:
- -------------------
A malicious user must have permissions to administer the superfish
module in order to inject and execute arbitrary script. The
vulnerability is further mitigated by the fact that the injected
script is not persistent, thus reducing the impact of the vulnerability.

Proof of Concept:
- -----------------
1. Install and enable Superfish 7.x-1.9 on Drupal 7.28
2. Navigate to the superfish administration page at
?q=admin/config/user-interface/superfish.
3. Replace the contents of the text area "Path to Superfish library"
with: "<script>alert('XSS')</script>" (excluding quotes)
4. Click save configuration. Form validation fails, but a javascript
alert box with text "XSS" pops up

Patch:
- ------
The following patch mitigates the vulnerability

- --- superfish.admin.inc       2014-06-25 13:23:30.274737050 -0400
+++ superfish.admin_xssfixed.inc        2014-06-25 13:26:59.542740204 -0400
@@ -107,7 +107,7 @@ function superfish_admin_settings_valida
       else {
         $error_message = t('File not found') . ': ' . $error[0];
       }
- -      form_set_error('superfish_slp', $error_message);
+      form_set_error('superfish_slp', check_plain($error_message));
     }
   }
 }


Vendor Response:
- ----------------
The Drupal security team has acknowledged the existence of the
vulnerability and will be addressing the issue publicly. Due to the
low exploitability of the vulnerability, a patch will be released at
the module maintainer's earliest convenience.

- -- 
Ubani Anthony Balogun
Information Security and Unix Services
University of Pennsylvania
School of Arts and Sciences
3600 Market St.
Suite 501
Philadelphia, PA 19104
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJT39byAAoJEKwVbF01qrx/ARkIALJ47sXGIIWhrFB5SjZ8M6z6
JPDmHkxwcbYrmnrbRJ4EMcqWzjMXfW16ab+UYAhBGqtRnT3SMwKFiyjsleM6L80+
Z6Jm1Oc3DkZyM/bba20en0+HPSKxmZGpgFCYPUpwaSF29VePVf66pvYxrktXnpFI
dcwUFsPORYOSVaWhRnTGfWuu+hnl24ZYORqSvD/frLnZRAh0ZiRR7cJ07KWDOLRY
C1NdvSaW2VK3WQMARy9Jnjzo8Ea1Df/AQY2QHu1H3SHjvEn5lqrXL967uWUsmNmv
UKArb/xZlePn0mlPg+RtW/qNrJgniSZvDVMJXfyjuGDdQgOoQ4qWSBuHwaujogE=
=+UCp
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/