Drupal With Webform Cross Site Scripting

2011.05.25
Credit: Justin Klein Keane
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vulnerability Report Original Date of Vendor Notification: April 19, 2011 15:15 (GMT - 4:00) Description of Vulnerability: - ----------------------------- Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Webform module (http://drupal.org/project/webform) "adds a webform node type to your Drupal site." The Drupal webform module is the 13th most popular third party contributed module in the Drupal project, installed on more than 116,000 sites. The module contains multiple cross site scripting (XSS) vulnerabilities due to the fact that it fails to sanitize user supplied input before display. The module also fails to restrict file uploads to the Drupal installation directory. Systems affected: - ----------------- Drupal 6.20 with Webform 6.x-2.10, Drupal 7.0 with Webform 7.x-3.9 and Drupal 5.23 with Webform 5.x-2.10 were all tested and shown to be vulnerable. Impact - ------ In specific scenarios unauthenticated users could inject arbitrary scripts into pages affecting site administrative users. This could result in administrative account compromise leading to web server process compromise. Another likely scenario would be for an attacker to inject hidden content (such as iframes, applets, or embedded objects) that would attack client browsers in an attempt to compromise site users' machines. This vulnerability could also be used to launch cross site request forgery (XSRF) attacks against the site that could have other unexpected consequences. Attackers could also use file uploads in webforms to write arbitrary files to the filesystem as the web server. Mitigating factors: - ------------------- In order to exploit the form name upload XSS vulnerability users must be able to submit webforms with file components, including unauthenticated users. In order to exploit form configuration vulnerabilities (using component names) the attacker must have credentials to an authorized account that has been assigned the permissions to create and/or edit a webform. This could be accomplished via social engineering, brute force password guessing, or abuse or legitimate credentials. File uploads are restricted by type based on extension and can only be written in locations to which the file server has permissions. Proof of Concept: - ----------------- 1. Install Drupal and Webform module 2. Create a new webform at ?q=node/add/webform, using arbitrary values 3. Edit the form components at ?q=node/X/edit/components where 'X' is the node id 4. Type an aritrary name for a new form component and select 'file' as the type then click 'Add' 5. In the resulting screen enter "../../../../../../../../../../../../tmp" in the 'Upload Directory' 6. Click submit 7. View the form at ?q=node/X 8. Select a file using the 'Browse' button then submit the form 9. Viewing the filesystem the uploaded file can be found in the /tmp directory 1. Install Drupal and Webform module 2. Create a new webform at ?q=node/add/webform, using arbitrary values 3. Edit the form components at ?q=node/X/edit/components where 'X' is the node id 4. Type an aritrary name for a new form component and select 'file' as the type then click 'Add' 5. Enter arbitrary values for the file component definitions 6. View the form at ?q=node/X 8. Select a file named "<iframe src='index.php' onLoad='javascript:alert("xss");'>.jpg" using the 'Browse' button then submit the form 9. View the results at ?q=node/X/webform-results and click the 'View' link under 'Operations' for the just submitted form 10. The iframe and associated javascrip are rendered at ?q=node/X/submission/Y where X is the nid and Y is the submission id 1. Install Drupal and Webform module 2. Create a new webform at ?q=node/add/webform, using arbitrary values 3. Edit the form components at ?q=node/X/edit/components where 'X' is the node id 4. Create a new component named '<script>alert("xss");</script>' of any type and click the 'Add' button 5. Fill out and submit the form at ?q=node/X where X is the nid 6. View the 'Analysis' of 'Results' at ?q=node/X/webform-results/analysis to view the rendered JavaScript 7. View the 'Table' of 'Results' at ?q=node/X/webform-results/table to view the XSS and file upload name XSS attack Vendor Response: - ---------------- No fix for Drupal 5 version. Upgrade to latest version of Webform for Drupal 6 and Drupal 7. http://drupal.org/node/1161954 - -- Justin Klein Keane http://www.MadIrish.net The digital signature on this e-mail may be confirmed using the PGP key located at: http://www.madirish.net/gpgkey -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iPwEAQECAAYFAk3b77MACgkQkSlsbLsN1gD5+gb/f+j9GTNGtCZMQFoLWBfTvhXo CblsVkV/A+qYzbpREXJyGDvomYmoS3YOJkvvHFvAll0hM2sfQNNpb0ATaUW9EaYx ovDnhshu2uz2tcaTYjey5s+wI0V5vMbis8OBgNMI/qHjCN9SdxpZyCDGCvmro9+J PCYq1SiXPZMlwh17EgXQH6wtNRTOWm3YUjWbcuxnU0KOMcyBM+LL6BQNJXqMIOoC SaKiiqnUx8KR8asXdQIzO1mewHRAx4XTmAlmuaZegBpBYvODXcO1as4dkaEIie14 NW29UJKonIfkBMofqkk= =D4Ao -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top