Drupal 6 Content Access Module XSS

2009-05-27 / 2009-05-28
Credit: Justin Klein Keane
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Details of this disclosure have been posted at http://lampsecurity.org/drupal_6_content_access_xss Vendor Notified: 05/19/2009 Description of Vulnerability: - ----------------------------- Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through hundreds of third party modules. The Content Access Module (http://drupal.org/project/content_access) suffers from a cross site scripting vulnerability because it does not sanitize role names before displaying them on the 'Access Control' screen of managed content types. This vulnerability is exacerbated by the fact that Drupal 6.12 core does not perform input validation on role names as they are being created. This can lead to a situation where users administering role based access controls of content types could be exposed to malicious HTML content. Systems affected: - ----------------- Drupal 6.12 with Content Access 6.x-1.1 was tested and shown to be vulnerable Impact - ------ Authenticated users could be exposed to XSS attacks when administering content access. Users with this responsibility are generally site administrators. Cross site scripting attacks against administrators could lead to full web server process compromise. Mitigating factors: - ------------------- In order to carry out the exploit described below the attacker must be able to inject malicious content into role names, which is possible for authenticated users with the 'administer permissions' permission. Other attack vectors may exist that do not require these restricted permissions. Proof of concept: - ----------------- 1. Install Drupal 6.12 and Content Access 6.x-1.1 2. Click Administer -> User management -> Roles 3. Enter "<script>alert('xss');</script>" in the "Name" textarea 4. Click the "Add Role" button 5. Observe JavaScript alert 6. Click on Administer -> Content Types 7. Click on 'edit' next to any content type 8. Click on 'Access control' link 9. Observe the JavaScript alert multiple times Vendor Response - --------------- Drupal security was notified of this vulnerability on 5/19/2009. Vendor has declined to issue an official security announcement due to the restricted access rights required to carry out the proof of concept exploit. Vendor has filed a bug with the module maintainer at http://drupal.org/node/472494. - -- Justin C. Klein Keane http://www.MadIrish.net http://LAMPSecurity.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org iPwEAQECAAYFAkocV0YACgkQkSlsbLsN1gAQuQb9EYSb+J7eDst+jK/zAEmhqtqY plXxiotJUtNKGCBtcunVAhA1YtQE3OAgAMwvhLvdYwM9d3A+NaQSu74IGrY5Q4rp T1yiJwFW7rTmu3fo1TdSouNr2gZ6sfa5/089Rl4ZxMfiRQPv8jJFMdF65qDpJaaM UNZEfMxUCJXuRVESDDx3P2h0liF0P+1xQiHB4oxsKhkWstV5hk9vhHIiNxjK63sS r+bh0hxlQHUIO4UtWbZgoSeb1+GVip+I3bUjkMNcLre/unagjwaphGaS8CmyuefS +Ic4IUkI5ouAfNSEcPw= =nPoy -----END PGP SIGNATURE-----

References:

http://seclists.org/fulldisclosure/2009/May/0232.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top