Full Disclosure mailing list archives
Drupal Print Module Multiple Vulnerabilities
From: Justin Klein Keane <justin () madirish net>
Date: Thu, 13 Aug 2009 14:46:19 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vulnerability Report Date of Original Vendor Contact: May 27, 2009 Author: Justin C. Klein Keane <justin () madirish net> Details of this vulnerability are also posted at the public URL http://lampsecurity.org/drupal-print-module-vulnerabilities Description of Vulnerability: - - ----------------------------- Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Printer, e-mail and PDF versions (hereafter referred to as Print) module (http://drupal.org/project/print) allows for the generation of printer friendly versions of nodes, PDF version of nodes, and the sending of nodes to e-mail recipients. The Print module contains numerous cross site scripting (XSS) vulnerabilities: The Print module contains a XSS vulnerability because it does not properly sanitize the output of the footers in printer friendly views. This allows users with 'administer print' permissions to inject arbitrary HTML in the footer field that is rendered whenever the printer friendly version of any node is displayed. The Print module also contains a XSS vulnerability due to the fact that 'Stylesheet URL' input is not properly sanitized when displayed. This allows malicious users the ability to inject external stylesheet locations into the link tag displayed on printer friendly versions of nodes. This vulnerability, combined with Internet Explorer support for "expression" in CSS allows for XSS attacks. The print module also contains a XSS vulnerability due to the fact that the 'site name' is not properly sanitized when displaying e-mail confirmation in the "Thank you for spreading the word about [site_name]" area. The print module also contains a XSS vulnerability due to the fact that it does not properly sanitize the 'Thank You Message:' input. The print module also contains a XSS vulnerability due to the fact that it does not properly sanitize node titles for display in the breadcrumbs on printer friendly versions of nodes. The print module also contains a XSS vulnerability due to the fact that it does not properly sanitize the 'font family' setting when displaying PDF versions of nodes. Systems affected: - - ----------------- Drupal 6.12 with Print 6.x-1.7 and TCPDF 4.6.012 was tested and shown to be vulnerable to footer XSS injection. Drupal 6.12 with Print 6.x-1.7 and IE 6 was tested and shown to be vulnerable to link XSS injection. Additional testing indicated that the 5.x branch of the Print module is also vulnerable. Versions of Drupal more recent than those tested are likely affected as well. Impact: - - ------- XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise. Mitigating factors: - - ------------------- Print must be installed and enabled. Attacker must have 'administer print' permissions in order to carry out the proof of concept exploit detailed below. Site administration permissions are required to carry out the site name injection described in the proof of concept below. Internet Explorer is vulnerable to the malicious style sheet inclusion proof of concept detailed below, other browsers may not be affected depending on their support for the 'expression' statement in cascading style sheets (CSS). Note that the proof of concept provided utilizes known attack vectors, other vectors may exist. Proof of concept: - - ----------------- 1. Install Drupal 6.12. 2. Install Print and enable all Print functionality through Administer - - -> Modules. Install TCPDF per the Print module INSTALL.txt 3. In Administer -> Site configuration set the site name to "<script>alert('site name');</script>" 4. Create a new content node with the title "<script>alert('node title');</script>" 5. Click "Save configuration" 6. Create malicious stylesheet at arbitrary URL (for this PoC the stylesheet is at http://192.168.0.2/style.css). Include the following: BODY { width:expression(alert("stylesheet xss")); } 7. Click on Administer -> Site Configuration -> Printer, e-mail and PDF versions 8. Select the 'Settings' link 9. Fill in "http://192.168.0.2/style.css' a='" for the "Stylesheet URL" 10. Expand the "Footer options" input area 11. Check the "User-specified" radio button 12. Fill in "<script>alert('footer xss');</script>" for the "User-specified:" text input 13. Click the "Save configuration" button 14. Navigate to the homepage 15. View the node created in step 3 above and click the "Printer-friendly version" link 16. Observe three JavaScript alerts in IE, other browsers may only display the node title and footer XSS alerts. 17. Return to the node view and click the "Send to friend" link. Fill in arbitrary values and click the "Send e-mail" button 18. Observe the site name JavaScript alert 19. Modify the PDF settings from Administer -> Site configuration -> Printer, e-mail and PDF versions. 20. Fill in "dejavusans' <script>alert('font family');</script>" in the "Font Family:" text input. 21. Click "Save configuration" 22. View the node created in step 4 above, click the "PDF version" link 23. Observe the JavaScript alert 24. Note that this causes a white screen and TCPDF error Timeline - -------- May 27 2009 - Issue reported to vendor June 1 2009 - Originator re-contacts vendor to confirm receipt June 1 2009 - Vendor confirms receipt June 9 2009 - Originator inquires as to possibility of June 10 fix June 9 2009 - Vendor replies maintainer contacted but June 10 fix unlikely July 24 2009 - Vendor reports a June 29 fix July 29 2009 - Vendor reports additional work necessary, fix delayed August 13 2009 - after two weeks and no update Originator goes Full Disclosure per terms of RFP disclosure policy .2.0 - -- Justin C. Klein Keane http://www.MadIrish.net http://www.LAMPSecurity.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org iPwEAQECAAYFAkqEX3sACgkQkSlsbLsN1gC2EwcAsQ9yy6LLD1/i4izR2dh+5Mxw D4XQVBy7ZdfNrSnq7ba2CJoGcMjuHKOxTzIgdh8NrQLNiQvYLRMY3EXYx4XVS3Ke +zHSPeRsrbH5Vt3LUiRK2AWPE6qBJ6ucNBkiaazV++AYJe8pIvcnouWy56mvP3cS zLHjj/gASFZNeWDrou640n1VSKVejeLmqp3xfGrmXL+sVpomD4qQlMSmFbnd69Zs L/fXxoqG1J8C0BfErOQzZwXiOahukKyOQEhBALtMEhp90A/CFzxmf9r5G36qYyJS qfKJMnpZlf950XMBOPM= =C/pM -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Drupal Print Module Multiple Vulnerabilities Justin Klein Keane (Aug 13)