Re: Superfish 7.x Minor Cross Site Scripting Vulnerability

[Greg Knaddison <greg.knaddison () gmail com>]

Thanks for reporting this bug to the Drupal Security Team and for sharing a
description of it here.

I think the mitigating factors section is a little unclear. I've added some
information about them inline below.

On Mon, Aug 4, 2014 at 12:54 PM, Ubani Balogun <ubani () sas upenn edu> wrote:

> Mitigating Factors:
> - -------------------
> A malicious user must have permissions to administer the superfish
> module in order to inject and execute arbitrary script. The
> vulnerability is further mitigated by the fact that the injected
> script is not persistent, thus reducing the impact of the vulnerability.

This is a reflected XSS issue that requires a form POST. The malicious
javascript is not stored/persisted. The form POST is protected by a CSRF
token so it cannot be exploited against another person.

Therefore, the attack requires social engineering to trick an admin into
performing XSS against themselves. Given that, there are probably other,
easier ways to trick a Drupal admin into introducing a more persistent
vulnerability into the site. A similar XSS issue exists in nearly all web
applications by social-engineering a site-admin to open the "developer
tools" and paste in some Javascript the way that people have gone after
Facebook:

http://stackoverflow.com/questions/21692646/how-does-facebook-disable-the-browsers-integrated-developer-tools


Regards,
Greg

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/