Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21841
HistoryMay 19, 2009 - 12:00 a.m.

[Full-disclosure] Drupal 6 CCK Module XSS Vulnerability

2009-05-1900:00:00
vulners.com
21
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vendor Notified: 05/18/09
Vendor Response: Karoly Negyesi of Drupal security denies issue exists.
Drupal security has responded to reports of CCK based XSS
vulnerabilities in past with http://drupal.org/node/372836, which
basically shirks the issue. Although a problem clearly exists, Drupal
seems unconcerned with fixing it, instead semantically hiding the
vulnerability behind a reclassification of permissions that appears only
in SA-CORE-2009-002 rather than in either the Drupal interface or
documentation.

Details of this report are also published at
http://lampsecurity.org/drupal-cck-xss-vulnerability

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through hundreds of
third party modules. The Drupal Content Creation Kit (CCK) is a module
that allows site maintainers to modify content types by associating
custom fields with specific content types. The Drupal CCK module
contains a vulnerability that could allow an authenticated attacker to
inject arbitrary script into administration screens for content types.
This could allow an attacker to issue a cross site scripting (XSS)
attack against Drupal users with elevated privilege levels.

Systems affected:

Drupal 6.12 with CCK 6.x-2.2 was tested and shown to be vulnerable

Mitigating factors:

CCK must be installed and enabled. Attacker must have 'administer
content types' permissions in order to exploit this vulnerability.

Proof of concept:

  1. Install Drupal 6.12.
  2. Install CCK and enable all CCK functionality through dminister ->
    Modules
  3. Click on Administer -> Content management -> Content types
  4. Select a type and click the 'manage fields' operation
  5. Click 'edit' to edit the node-type
  6. Expand the 'Submission form settings' input area
  7. Fill in "<script>alert('title');<;/script>" for the "Title field label"
  8. Fill in "<script>alert('body');</script>" for the "Body field label"
  9. Click 'Save content type'
  10. Click Administer -> Content Management -> Content types
  11. Click "manage fields" link for the type selected in #4 above
  12. Observe two JavaScript alerts

Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQD1AwUBShHDh5EpbGy7DdYAAQKbfgcAijtPqazvwOhltQmuep/+tP1scvmaifGa
keMcKb7pTyP/GVJxrPoUeCif287myaD25jwL4P3SVS4+cUgTbWbwZGRc5QZdk8Kd
E6GV05WL7Ufo7bmqPecOj4QuiYD7zl/dFX8o188nViqmvB8xnQqRYywL3wRhPSI7
suDuEAeCNKxr5IGzNs5mS6ZaF/gQRF7KKt2yKwlv/MDhvf0uwRU0hfpJ+MLTbCbf
wJNhXoG3aT00prXgmBxsTSzAMBhp4tG2ufBc1aLRYn26lCoBUNO9a3mk+a+xiKQb
TtEDePFbRIw=
=cfte
-----END PGP SIGNATURE-----

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

JSON