Full Disclosure mailing list archives

Re: [Security-news] SA-CONTRIB-2012-051 - Activity - Multiple Vulnerablities

From: "Justin C. Klein Keane" <justin () madirish net>
Date: Wed, 28 Mar 2012 18:40:59 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Exploit for bespoke:

* Install and enable the Activity and Flag modules
* Add a new Flag with an arbitrary name at ?q=admin/build/flags/add
* On the resulting page (?q=admin/build/flags/add/node/[name]) enter
"<script>alert('xss');</script>" for the flag Title
* View the rendered Javascript at /?q=admin/settings/activity/flagactivity

* As above
* Alter the "Comment: Insert:" field in the "Message visible to the
"All" role" fieldgroup at ?q=admin/settings/activity/commentactivity
to insert the text "<script>alert('xss');</script>"
* Move the "Activity (All): show all recent activity" block to a
visible content region at ?q=admin/build/block
* Create a story at ?q=node/add/story
* Log out
* As anonymous user add a comment at ?q=comment/reply/X#comment-form
where X is the nid of the story from step #4
* Submit the comment to view the rendered JavaScript alert in the
Activity block or log back in to see the JavaScript at ?q=activity

Patch:

The following patch mitigates the above vulnerabilities.

- --- activity/activity.module  2009-04-26 21:45:25.000000000 -0400
+++ activity.fixed/activity.module      2012-01-26 06:34:56.014821191 -0500
@@ -311,7 +311,7 @@ function activity_module_settings(&$form
         '#type' => 'checkboxes',
         '#title' => t('Token types'),
         '#description' => t('Select the token types that you wish to
record activity from.'),
- -        '#options' => $info['types'],
+        '#options' => array_map("filter_xss", $info['types']),
         '#default_value' => variable_get($module .'_token_types',
array_keys($info['types'])),
         '#attributes' => array('class' => 'activity-token-types'),
       );
@@ -350,7 +350,7 @@ function activity_module_settings(&$form
                 if (count($types) > 1) {
                   $form[$module][$role_name][$type_name] = array(
                     '#type' => 'fieldset',
- -                    '#title' => t($type),
+                    '#title' => filter_xss(t($type)),
                     '#collapsible' => TRUE,
                     '#collapsed' => TRUE,
                   );
@@ -1034,7 +1034,7 @@ function activity_token_replace($activit
     activity_invoke_activityapi($activity, 'render');
     $message = token_replace($pattern, $module, $data);
     $message = token_replace($message, 'activity', $data);
- -    return $message;
+    return filter_xss($message);
   }
 }


Justin Klein Keane
http://www.MadIrish.net

On 03/28/2012 04:29 PM, security-news () drupal org wrote:

* Advisory ID: DRUPAL-SA-CONTRIB-2012-051 * Project: Activity [1]
(third-party module) * Version: 6.x * Date: 2012-March-28 *
Security risk: Moderately critical [2] * Exploitable from: Remote *
Vulnerability: Cross Site Scripting, Cross Site Request Forgery

-------- DESCRIPTION 
---------------------------------------------------------

The Activity module keeps track of the things people do on your
site and provides mini-feeds of these activities in blocks, in a
specialized table, and via RSS. The module is extensible so that
any other module can integrate with it. The messages that are
produced are customizable via the admin interface and are context
sensitive.

The 6.x-1.x branch of the module does not filter output of the
module settings correctly leading to a cross site scripting
vulnerability (XSS). It also does not confirm user intent when
removing a single activity resulting in a cross site request
forgery vulnerability.

The XSS vulnerability is mitigated by the fact that it requires the
malicious user to have a role with the "access administration
pages" and "administer activity" permissions.

-------- VERSIONS AFFECTED 
---------------------------------------------------

* All releases of the 6.x-1.x branch

Drupal core is not affected. If you do not use the contributed
Activity [3] module, there is nothing you need to do.

-------- SOLUTION 
------------------------------------------------------------

Install the latest version:

* The 6.x-1.x branch of this module is no longer supported. Upgrade
to 6.x-2.0-alpha1 [4]

Note that there is currently no upgrade path. Users of the module
are encouraged to work in the module queue to help build an upgrade
path. Also see the Activity [5] project page.

-------- REPORTED BY 
---------------------------------------------------------

* Ivo Van Geertruyen [6] of the Drupal Security Team

-------- COORDINATED BY 
------------------------------------------------------

* Michael Hess [7] of the Drupal Security Team * Greg Knaddison [8]
of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION 
----------------------------------------

The Drupal security team can be reached at security at drupal.org
or via the contact form at http://drupal.org/contact [9].

Learn more about the Drupal Security team and their policies [10],
writing secure code for Drupal [11], and securing your site [12].


[1] http://drupal.org/project/activity [2]
http://drupal.org/security-team/risk-levels [3]
http://drupal.org/project/activity [4]
http://drupal.org/node/944146 [5]
http://drupal.org/project/activity [6]
http://drupal.org/user/383424 [7] http://drupal.org/user/102818 [8]
http://drupal.org/user/36762 [9] http://drupal.org/contact [10]
http://drupal.org/security-team [11]
http://drupal.org/writing-secure-code [12]
http://drupal.org/security/secure-configuration

_______________________________________________ Security-news
mailing list Security-news () drupal org 
http://lists.drupal.org/mailman/listinfo/security-news

_______________________________________________ Full-Disclosure -
We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iPwEAQECAAYFAk9zk3sACgkQkSlsbLsN1gDgdAb+MocrDc6H7WlWnVIstWZ789HX
YiEghVeylWjGvarEN2sLytvIXoA2XvDcCl2y6dSwc7VawlaI3rgT8OXn5981jqfv
bwDA7b59po+98L11YjBbF1glLox5Xp/X+XGC/dLb64NKAl9DzB4t9Uxfo5YfHIvk
JVaqzSQxSQVGQ0aTICe4k1hwkSdOBCN5rCq7LU2Ms1R0vyATUNfQKPIbqRpO3GfP
ccQ5IRuZ+k5x7FlGlg1eZ0+h3KOlOvCZ+movFf5jsxAwnmQoTeF0zd4JuMzAmvYq
QHxXwWLzA7BdY5ijpH0=
=EgBQ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

[Security-news] SA-CONTRIB-2012-051 - Activity - Multiple Vulnerablities security-news (Mar 28)
- Re: [Security-news] SA-CONTRIB-2012-051 - Activity - Multiple Vulnerablities Justin C. Klein Keane (Mar 28)
  - Re: [Security-news] SA-CONTRIB-2012-051 - Activity - Multiple Vulnerablities Greg Knaddison (Mar 29)