XSS and AoF vulnerabilities in Drupal

["MustLive" <mustlive () websecurity com ua>]

Hello list!

I want to warn you about Cross-Site Scripting and Abuse of Functionality
vulnerabilities in Drupal.

-------------------------
Affected products:
-------------------------

Vulnerable are Drupal 6.22 and previous versions. Taking into account that
developers didn't fixed these holes, then versions 7.x also must be
vulnerable.

----------
Details:
----------

XSS (WASC-08):

At adding or editing of data in any internal forms (add/edit post, etc.)
it's possible to conduct persistent XSS attack. XSS code will execute at
visiting of edit page (edit post, etc.). The attack is conducting on any
forms with turned on FCKeditor/CKeditor (which are very widespread on sites
on Drupal). Such attack can be conducted and on forms with TinyMCE - I wrote
already about such vulnerabilities in PHP-Nuke via TinyMCE
(http://packetstormsecurity.org/files/view/99162/phpnuke-iaaxss.txt).

For attack it's needed to set in filed of the form in "Source" mode:
<img onerror="alert(document.cookie)" src="1" />

Also it's possible to send POST request with token and attacking code in
parameter body.

The attack can be conducted only on logged-in user which is an owner of this
account or on admin of the site. I.e. user will save attacking code by
himself and trick admin on that page, or with taking into account anti-CSRF
protection the token will be received via reflected XSS vulnerability to
conduct persistent XSS attack on the user or admin.

Abuse of Functionality (WASC-42):

There are two new vulnerabilities which allow to enumerate logins of the
users. At special request to search on users it's possible to reveal logins
of all users of the site.

http://site/search/user/%25
http://site/search/user_search/%25

In rss-feeds of the site, particularly in main rss-feed
(http://site/rss.xml), it's possible to reveal logins of users of the site,
which materials are shown in this feed.

As developers noted me about last vulnerabilities, they didn't see risk in
them and considered them as feature. And officially state
(http://drupal.org/node/1004778) they will not be fixing them. Leaving all
users of Drupal engine with these issues (and I wrote about 8 such
vulnerabilities in total in this engine), at that recommending in above-
mentioned document for those who concerned to use third-party solutions.

------------
Timeline:
------------

2010.12.11 - when I informed developers about previous multiple
vulnerabilities in Drupal, I told them briefly about these holes.
2011.04.12 - announced at my site.
2011.04.13 - informed developers.
2011.06.24 - disclosed at my site.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/5074/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/