Full Disclosure mailing list archives
XSS and AoF vulnerabilities in Drupal
From: "MustLive" <mustlive () websecurity com ua>
Date: Fri, 24 Jun 2011 23:58:32 +0300
Hello list! I want to warn you about Cross-Site Scripting and Abuse of Functionality vulnerabilities in Drupal. ------------------------- Affected products: ------------------------- Vulnerable are Drupal 6.22 and previous versions. Taking into account that developers didn't fixed these holes, then versions 7.x also must be vulnerable. ---------- Details: ---------- XSS (WASC-08): At adding or editing of data in any internal forms (add/edit post, etc.) it's possible to conduct persistent XSS attack. XSS code will execute at visiting of edit page (edit post, etc.). The attack is conducting on any forms with turned on FCKeditor/CKeditor (which are very widespread on sites on Drupal). Such attack can be conducted and on forms with TinyMCE - I wrote already about such vulnerabilities in PHP-Nuke via TinyMCE (http://packetstormsecurity.org/files/view/99162/phpnuke-iaaxss.txt). For attack it's needed to set in filed of the form in "Source" mode: <img onerror="alert(document.cookie)" src="1" /> Also it's possible to send POST request with token and attacking code in parameter body. The attack can be conducted only on logged-in user which is an owner of this account or on admin of the site. I.e. user will save attacking code by himself and trick admin on that page, or with taking into account anti-CSRF protection the token will be received via reflected XSS vulnerability to conduct persistent XSS attack on the user or admin. Abuse of Functionality (WASC-42): There are two new vulnerabilities which allow to enumerate logins of the users. At special request to search on users it's possible to reveal logins of all users of the site. http://site/search/user/%25 http://site/search/user_search/%25 In rss-feeds of the site, particularly in main rss-feed (http://site/rss.xml), it's possible to reveal logins of users of the site, which materials are shown in this feed. As developers noted me about last vulnerabilities, they didn't see risk in them and considered them as feature. And officially state (http://drupal.org/node/1004778) they will not be fixing them. Leaving all users of Drupal engine with these issues (and I wrote about 8 such vulnerabilities in total in this engine), at that recommending in above- mentioned document for those who concerned to use third-party solutions. ------------ Timeline: ------------ 2010.12.11 - when I informed developers about previous multiple vulnerabilities in Drupal, I told them briefly about these holes. 2011.04.12 - announced at my site. 2011.04.13 - informed developers. 2011.06.24 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/5074/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- XSS and AoF vulnerabilities in Drupal MustLive (Jun 24)
- <Possible follow-ups>
- XSS and AoF vulnerabilities in Drupal MustLive (Jun 28)