Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Drupal Download Count Module XSS Vulnerability

From: Justin Klein Keane <justin () madirish net>
Date: Thu, 23 Jun 2011 08:56:57 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vulnerability Report

April 4, 2011 14:30 (GMT - 4:00)


Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL.  The Drupal Download Count module
(http://drupal.org/project/download_count) is designed to keep track of
file downloads on Drupal sites.  This module contains multiple cross
site scripting (XSS) vulnerabilities due to the fact that it fails to
sanitize user supplied input before display.  Download Count was
unpublished at version 6.x-1.3 for similar problems (SA-CONTRIB-2010-052
- -http://drupal.org/node/803728).

Systems affected:
- -----------------
Drupal 6.19 with Download Count 6.x-1.5 was tested and shown to be
vulnerable.

Impact
- ------
User could inject arbitrary scripts into pages affecting site users.
This could result in administrative account compromise leading to web
server process compromise.  A more likely scenario would be for an
attacker to inject hidden content (such as iframes, applets, or embedded
objects) that would attack client browsers in an attempt to compromise
site users' machines.  This vulnerability could also be used to launch
cross site request forgery (XSRF) attacks against the site that could
have other unexpected consequences.

Mitigating factors:
- -------------------
In order to exploit this vulnerability the attacker must have
credentials to an authorized account that has been assigned the
permissions to administer download count.  This could be accomplished
via social engineering, brute force password guessing, or abuse or
legitimate credentials.  XSS affects only pages that users with 'view
all downloads count' permission can access (such as site admins).

Proof of Concept:
- -----------------
1.  Install Drupal and Download Count module
2.  Navigate to the Download counter admin page at
?q=admin/settings/download_count
3.  Enter "<script>alert('xss1');</script>" in the 'Title' field
4.  Save the form
5.  View rendered JavaScript at ?q=download_counter

Vendor Response:
- -----------------
"Disable the Download Count module and remove the module from your
filesystem." Ref http://drupal.org/node/1196670

Patch:
- ------------------------------------------
Applying the following patches mitigates these issues in version 6.x-1.5

- --- download_count/download_count.module      2010-05-30 15:40:04.000000000
-0400
+++ download_count/download_count.module        2011-04-04 14:17:43.503554109 -0400
@@ -121,7 +121,7 @@ function download_count_admin_settings()
 }
 function download_count_view_page() {
   global $user;
- -  drupal_set_title(variable_get('download_counter_view_page_title',
t('Download counter')));
+
drupal_set_title(check_plain(variable_get('download_counter_view_page_title',
t('Download counter'))));
   $header[] = array('data' => t('filename'), 'field' => 'filename');
   $header[] = array('data' => t('hits'), 'field' => 'count', 'sort' =>
'desc');
   $header[] = array('data' => t('last download'), 'field' => 'timestamp');
@@ -145,9 +145,9 @@ function download_count_view_page() {
   if (empty($rows)) {
     $rows[] = array(array('data' => t('No file attachment has been
downloaded.'), 'colspan' => '4'));
   }
- -  $output =
check_markup(variable_get('download_counter_view_page_header', ''),
variable_get('download_counter_view_page_format', 0), false);
+  $output =
check_markup(check_plain(variable_get('download_counter_view_page_header',
'')), variable_get('download_counter_view_page_format', 0), false);
   $output .= theme('table', $header, $rows, array('class' =>
'download_count'));
- -  $output .=
check_markup(variable_get('download_counter_view_page_footer', ''),
variable_get('download_counter_view_page_format', 0), false);
+  $output .=
check_markup(check_plain(variable_get('download_counter_view_page_footer',
'')), variable_get('download_counter_view_page_format', 0), false);
   return $output;
 }
 /**

Full details are also available at http://www.madirish.net/?article=492

- -- 
Justin Klein Keane
http://www.MadIrish.net

The digital signature on this e-mail may be confirmed using the
PGP key located at: http://www.madirish.net/gpgkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAk4DOBYACgkQkSlsbLsN1gBNmgb8CtCwY6YhnwYNF/X6UjN453NA
KHFCBNM9ZH7fOrQ6kf+g1UHMO9WHvkzea08iigtFYA3VS0WkHrHccw0+ATYmxfSk
yCoRNez6iK78F4wi7fJTJPNCnoE0L7ogg3AccNDphR1JipNkLtzuOFJMrYGZpZ+y
UEdQS4+SOvqJB19G1PU1uAhtQoj+sqK9DzGdK57eyIkChJjVbQzWpH3Y0LMRz1c/
92qC6sNyipvKv76rX31IzV7Dh+QhDIoNHmmjiDg3jHV8pHP4+hLWLeAdrU3UxQJI
H1QFeDsnBytK0qXZ2Js=
=si5G
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: