Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:25493
HistoryJan 17, 2011 - 12:00 a.m.

Drupal 5.x, 6.x <= Stored Cross Site Scripting Vulnerability

2011-01-1700:00:00
vulners.com
26
JSON

==========================================================================
Drupal 5.x, 6.x <= Stored Cross Site Scripting Vulnerability

  1. OVERVIEW

Drupal 5.x and 6.x are currently vulnerable to Stored Cross Site Scripting.

  1. BACKGROUND

Drupal is a free software package that allows anyone to easily
publish, manage and organize a wide variety of content on a website.
Hundreds of thousands of people and organizations are using Drupal to
power an endless variety of sites.

  1. VULNERABILITY DESCRIPTION

The 'site_footer', 'name', 'explanation' parameters are not properly
sanitized in administration backend of Drupal 5.x and 6.x versions,
which could allow attackers to conduct stored cross site scripting
attacks.

  1. VERSIONS AFFECTED

The vulnerability was tested in Drupal version 5.23 and 6.20,
currently latest versions of 5.x and 6.x families.
The recent released version Drupal 7 seems to be not vulnerable.

  1. PROOF-OF-CONCEPT/EXPLOIT

=> XSS in Footer (parameter: site_footer, module: system, url:
admin/settings/site-information)

The 'site_footer' parameter is not properly sanitized at site
information page (admin/settings/site-information)
and XSS payload can be set as footer text.
XSS will execute after "Administration theme" (url:
admin/settings/admin) is set to Marvin, and Chamelon.

=> XSS in Role (parameter: name, module: role, url: admin/user/roles)

The 'name' parameter is not properly sanitized and XSS payload can be
set as a role name.
This will affect in administration pages as well as user registration
page if the role is set to be shown.

=> XSS in Profile (parameter: explanation, module: profile, url:
admin/user/profile)

The 'explanation' parameter is not properly sanitized when adding new

* single-line textfield
* multi-line textfield
* checkbox
* list selection
* freeform list
* URL
* date

XSS can be executed in user registration page, user profile, and
member list pages if it is set to be visible.

See:
http://attacker.in/drupal6/
http://attacker.in/drupal6/user/register
http://attacker.in/drupal6/user/[ID]/edit/xss

  1. IMPACT

This XSS attack can be directly conducted on drupal sites where
anti-csrf form_token check is disabled.
If it is enabled, attacker must find ways to bypass anti-csrf token
using revolutionary or traditional methods.
After compromising it, attackers can plant persistent XSS backdoors in
user registration page,user profile page, member list pages, user
roles and profile settings pages of administration backend.

  1. SOLUTION

Upgrade to Drupal 7.
Lock down access to administration backend.
Disable Full HTML formatting for sites that allow public user registration.

  1. VENDOR

Drupal Development Team
http://drupal.org

  1. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.

  1. DISCLOSURE TIME-LINE

2010-12-30: notified vendor
2010-12-31: vendor replied 'not considered as vulnerabilities'
2011-01-14: vulnerability disclosed

  1. VENDOR RESPONSE

> The issues you report are not considered security vulnerabilities since advanced permissions
>(which in and of themselves would allow malicious users to take over a site) are required
> in order to exploit them. For the issues you reported, "administer site configuration" is required to
> edit the site footer message, and "administer users" is required to add/edit role names and profile fields.
>
> See the section "What About Vulnerabilities Which Require Advanced Permissions?" in
> http://drupal.org/security-advisory-policy for additional information.

  1. REFERENCES

Original Advisory URL: http://yehg.net/lab/pr0js/advisories/
About Drupal: http://drupal.org/about
Drupal Security Policy: http://drupal.org/security-advisory-policy
Disabling Form Token Check: http://data.agaric.com/node/2343
Anti-CSRF measures and XSS:
http://nileshkumar83.blogspot.com/2010/07/anti-csrf-measures-and-xss.html
Bypassing CSRF protections:
http://blog.andlabs.org/2010/03/bypassing-csrf-protections-with.html
Defeating Anti-CSRF XSS:
http://stephensclafani.com/2009/05/26/exploiting-unexploitable-xss/
Defeating Anti-CSRF XSS:
http://kuza55.blogspot.com/2008/02/exploiting-csrf-protected-xss.html

#yehg [2011-01-14]

Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd

JSON