Drupal Taxonomy Manager Module XSS Vulnerability

2009.06.12
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vulnerability Summary Report Author: Justin C. Klein Keane <justin_at_madirish&#46;net> Vendor Response: See below Details of this vulnerability are also posted at the public URL http://lampsecurity.org/drupal-6-taxonomy-manager-xss-vulnerability Description of Vulnerability: - --------------------------------------- Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Taxonomy Manager is a module that "provides an [sic] powerful interface for managing a taxonomy vocabulary. A vocabulary gets displayed in a dynamic tree view, where parent terms can be expanded to list their nested child terms or can be collapsed." The Taxonomy Manager suffers from a cross site scripting (XSS) vulnerability because it fails to properly sanitize the "Vocabulary name" during output, allowing for the injection of arbitrary HTML. Systems affected: - -------------------------- Drupal 6.12 with Taxonomy Manager 6.x-1.0 was tested and shown to be vulnerable. Impact: - ---------- XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise. Mitigating factors: - ------------------------- Taxonomy Manager must be installed and enabled. Attacker must have 'administer taxonomy' permissions in order to carry out the proof of concept exploit detailed below. Note that the proof of concept provided utilizes known attack vectors, other vectors may exist. Proof of concept: - ------------------------- 1. Install Drupal 6.12. 2. Install and enable the Taxonomy Manager module 3. Click on 'Administer' -> 'Taxonomy Manager' 4. Click 'Add new vocabulary' 5. Fill in "<script>alert('xss');</script>' for the 'Vocabulary name:' textarea value 6. Enter arbitrary data for the rest of the input 7. Click 'Save' 8. In Administer -> Content management -> taxonomy click 'add terms' next to the new taxonomy 9. Fill in arbitrary values for the new term 10.Click 'Save' 11. Click on Administer -> Content management -> Taxonomy Manager 12. Click the link under 'Vocabularies:' for the new vocabulary 13. View JavaScript alert. Vendor Response: - --------------------------- Upgrade to latest version of Taxonomy Manager module - http://drupal.org/node/487818. - -- Justin C. Klein Keane http://www.MadIrish.net http://www.LAMPSecurity.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iPwEAQECAAYFAkowGUcACgkQkSlsbLsN1gCD/Qb/cn4hgOe5N5o65ReXGg3gqnQf wQCuNQ7Mav0GNZeLEOQ+GjvlSXRyKmKYOTWDNVcJZaVCznYynh7/ZFHooeQDkGw0 jf6w+XgLeCjgELRXKWlB7k3zOtWK7pqmvJRgsqgjmMiVAq8re+aois7kwxT1CPd+ iopqZPbkPF1Vh7sNugxkD6wjfBc1g1MtEUIUJqFWgLsK07vCVHyhwECxxAiw3Lpa e6qKbbivhKoV/EQh6quGwWuTplzI7Nt8XMlEUm2hxIWB6MM0dFD4W0AoygWiIwG1 xh00P0zPeGZcL20JWRU= =veg8 -----END PGP SIGNATURE-----

References:

http://seclists.org/fulldisclosure/2009/Jun/0114.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top