Drupal Protected Node Module XSS Vulnerability

2009.03.01
Credit: Justin C. Klein Keane
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Version Tested: 5.x-1.3 on Drupal 5.15 The Drupal Protected Node module (http://drupal.org/project/protected_node) is designed to restrict access to nodes using passwords. When nodes are created they can be protected by selecting 'protected node' and specifying a password. Users attempting to access the node must then enter a password in order to access the node. Details of this vulnerability can also be found at http://lampsecurity.org/node/28. The Protected Node module fails to properly sanitize user input specified in the 'Password page info' input specified in Administer -> Site Configuration -> Protected Node. Users with the 'administer site configuration' permission can access this page. Steps to reproduce the exploit: 1. Enable the Protected Node module 2. Set permissions (Administer -> User Management) so anonymous users can access protected content in the protected_node module section 3. Click Administer -> Site Configuration -> Protected node 4. Enter the value <script>alert('xss');</script> into the 'Password page info' textarea 5. Create a new piece of content 6. In the 'Protected node' section on the content creation screen check the 'Node is protected' checkbox and enter a password. 7. Save the content. 8. Log out and view the content to trigger the JavaScript Technical details: This vulnerability is introduced by a failure to sanitize user input as it is being displayed in the protected_node_enterpassword() funciton in protected_node.module. Lines 272-274 prints out the user supplied text using the statement: $form['protected_node'] = array( '#value' => $info ); The $info variable should be sainitized using check_plain() or similar function in order to prevent the XSS vulnerability. Drupal security (http://drupal.org/security) team and module maintainer have been notified. - -- Justin C. Klein Keane http://www.MadIrish.net http://www.LAMPSecurity.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQD1AwUBSagRtJEpbGy7DdYAAQJuYwcAjhDPxL2rYb9epxZ5J55kslSVYC0tMxaR 89AtwVC7NqXZ6fn9XH1vn71jw1qCNp6xnyNUgmlZDFmKs11Q3iTHgS5O2pWOiu8E SUwPqguqRlx6QgQRtsJaKnS0zAFHWWc2i/jZWeHwkucf3LgJkYcEC4T/p8rRDjp3 wM0KdJnhbqC4/D8jSPAD3Ila8CRci9uoWwyGM6O4YtNQ/sxjtSHVC2ngmG3q2jTc JRZtMsmiAgyj4CxCY3cbcAEFTDowredqt0283Y8s+qOxKwXlDZMeoKpRfyGK2FO2 IPLhieMuPdc= =xS7G -----END PGP SIGNATURE-----

References:

http://seclists.org/fulldisclosure/2009/Feb/0363.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top