Drupal Node Blocks contributed module (6.x-1.3 and 5.x-1.1) XSS

2010.01.23
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


Ogólna skala CVSS: 3.5/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 6.8/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Jednorazowa
Wpływ na poufność: Brak
Wpływ na integralność: Częściowy
Wpływ na dostępność: Brak

XSS Vulnerability in Drupal's Node Blocks contributed module (6.x-1.3 and 5.x-1.1) Discovered by Martin Barbella <martybarbella (at) gmail (dot) com [email concealed]> Description of Vulnerability: ----------------------------- Drupal is a free software package that allows an individual or a community of users to easily publish, manage and organize a wide variety of content on a website. (From: http://drupal.org/about) The Node Blocks module allows users to specify content type(s) as being a block. This allows the content managers of the site to edit the block text and title without having to access the block administration page. (From: http://drupal.org/project/nodeblock) The block title is not properly sanitized when a user displays a block created from a node, resulting in a cross site scripting vulnerability. Systems affected: ----------------- This has been confirmed in Node Blocks 6.x-1.3 and 5.x-1.1. Previous versions may also be affected. Impact: ------- This is an example of a stored cross site scripting vulnerability. Stored attacks are those where the injected code is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. (From OWASP: http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29) Mitigating factors: ------------------- A user must be able to create nodes of a type used by Node Blocks, and this node must be added as a block by a user with the administer blocks permission. Proof of concept: ----------------- 1. Install the Node Blocks module 2. Create a content type with available as block enabled 3. As a user with permission to create nodes of this type, create a node with the title "<script>alert('XSS')</script>" 4. As a user that can administer blocks, add this block to a region 5. Note that an alert box will be displayed when the block is generated on a page Solution: --------- Install version 6.x-1.4 or 5.x-1.2 of the Node Blocks module. Timeline: --------- 2009-12-29 - Drupal Security notified. 2010-01-13 - Security announcement released on drupal.org (http://drupal.org/node/683598) Credit: ------- This vulnerability was reported by Martin Barbella to Khalid Baheyeldin at Drupal Security, and fixed by Thomas Turnbull.

Referencje:

http://www.securityfocus.com/bid/37782
http://www.osvdb.org/61682
http://drupal.org/node/683598
http://drupal.org/node/683586
http://drupal.org/node/683584
http://xforce.iss.net/xforce/xfdb/55606
http://secunia.com/advisories/38186
http://packetstormsecurity.org/1001-exploits/drupalnb-xss.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top