Full Disclosure mailing list archives
Re: Superfish 7.x Minor Cross Site Scripting Vulnerability
From: Greg Knaddison <greg.knaddison () gmail com>
Date: Mon, 4 Aug 2014 15:31:25 -0600
Thanks for reporting this bug to the Drupal Security Team and for sharing a description of it here. I think the mitigating factors section is a little unclear. I've added some information about them inline below. On Mon, Aug 4, 2014 at 12:54 PM, Ubani Balogun <ubani () sas upenn edu> wrote:
Mitigating Factors: - ------------------- A malicious user must have permissions to administer the superfish module in order to inject and execute arbitrary script. The vulnerability is further mitigated by the fact that the injected script is not persistent, thus reducing the impact of the vulnerability.
This is a reflected XSS issue that requires a form POST. The malicious javascript is not stored/persisted. The form POST is protected by a CSRF token so it cannot be exploited against another person. Therefore, the attack requires social engineering to trick an admin into performing XSS against themselves. Given that, there are probably other, easier ways to trick a Drupal admin into introducing a more persistent vulnerability into the site. A similar XSS issue exists in nearly all web applications by social-engineering a site-admin to open the "developer tools" and paste in some Javascript the way that people have gone after Facebook: http://stackoverflow.com/questions/21692646/how-does-facebook-disable-the-browsers-integrated-developer-tools Regards, Greg _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Superfish 7.x Minor Cross Site Scripting Vulnerability Ubani Balogun (Aug 04)
- Re: Superfish 7.x Minor Cross Site Scripting Vulnerability Greg Knaddison (Aug 04)