Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Drupal core XSS vulnerability

From: Greg Knaddison <greg.knaddison () gmail com>
Date: Wed, 14 Aug 2013 08:00:39 -0600
Thanks to Justin for identifying and describing this issue.

With a little more detail inline.

On Wed, Aug 14, 2013 at 7:33 AM, Justin C. Klein Keane
<justin () madirish net> wrote:
<snip>

Mitigating factors:
- -------------------
In order to inject arbitrary script malicious attackers must have the
ability to manipulate module .info files on a site filesystem, perhaps
via permissions misconfiguration,


It feels unclear to me if the permissions mentioned here are Drupal
permissions or others. So, to be clear, this would require server file
permission misconfiguration. The info files are placed in the same
directories as php code. For this vulnerability to be significant it
would require permissions like:

-rw-rw-rw-  1 deployuser  deployuser    243 Jan  7  2013 machine_name.info
-rw-rw-r--  1 deployuser  deployuser    434 Jan  7  2013 machine_name.install
-rw-rw-r--  1 deployuser  deployuser   3802 Jan  7  2013 machine_name.module

Or maybe:

-rw-rw-r--  1 deployuser  somegroup    243 Jan  7  2013 machine_name.info
-rw-r--r--  1 deployuser  somegroup    434 Jan  7  2013 machine_name.install
-rw-r--r--  1 deployuser  somegroup   3802 Jan  7  2013 machine_name.module

In the first scenario the attacker would just need a shell on the
server. In the second scenario the attacker would need a shell on the
server and membership in somegroup.

<snip>


feels this issue is already public (https://drupal.org/node/637538),
however the public discussion only concerns the development of the
next major release of Drupal - Drupal 8.  There is no mention in the
public discussion, of the fact that this issue faces both current
supported release versions (Drupal 7 and Drupal 6) and likely previous
releases.


I updated that issue to include Drupal 7 and Drupal 6 mentions.

It's true this affects previous releases, but previous releases are
explicitly EOL and full of holes that are not documented.
* Drupal 5 EOL Announcement: https://drupal.org/node/1027214
* Drupal 4.7 EOL Announcement: https://drupal.org/node/225729

Regards,
Greg

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: