Superfish 7.x-1.9 Cross Site Scripting

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Superfish 7.x-1.9 Cross Site Scripting Vulnerability  
====================================================  
  
Author: Ubani A Balogun <[email protected]>  
Reported: June 25, 2014  
  
Product Description:  
- --------------------  
Superfish integrates jQuery Superfish plugin with your Drupal menus.  
  
Description of Vulnerability:  
- -----------------------------  
Superfish suffers from a minor Cross Site Scripting vulnerability due  
to its failure to sanitize error messages before displaying them using  
the Drupal form_set_error function on the module configuration page.  
  
System impacted:  
- ----------------  
Superfish 7.x-1.9 was tested on Drupal 7.28 using the Mozilla Firefox  
29.0 browser and found to be vulnerable.  
  
Impact:  
- -------  
Users with the permission to administer the superfish module can  
inject arbitrary script via the module configuration form that  
executes if form validation fails.  
  
Mitigating Factors:  
- -------------------  
A malicious user must have permissions to administer the superfish  
module in order to inject and execute arbitrary script. The  
vulnerability is further mitigated by the fact that the injected  
script is not persistent, thus reducing the impact of the vulnerability.  
  
Proof of Concept:  
- -----------------  
1. Install and enable Superfish 7.x-1.9 on Drupal 7.28  
2. Navigate to the superfish administration page at  
?q=admin/config/user-interface/superfish.  
3. Replace the contents of the text area "Path to Superfish library"  
with: "<script>alert('XSS')</script>" (excluding quotes)  
4. Click save configuration. Form validation fails, but a javascript  
alert box with text "XSS" pops up  
  
Patch:  
- ------  
The following patch mitigates the vulnerability  
  
- --- superfish.admin.inc 2014-06-25 13:23:30.274737050 -0400  
+++ superfish.admin_xssfixed.inc 2014-06-25 13:26:59.542740204 -0400  
@@ -107,7 +107,7 @@ function superfish_admin_settings_valida  
else {  
$error_message = t('File not found') . ': ' . $error[0];  
}  
- - form_set_error('superfish_slp', $error_message);  
+ form_set_error('superfish_slp', check_plain($error_message));  
}  
}  
}  
  
  
Vendor Response:  
- ----------------  
The Drupal security team has acknowledged the existence of the  
vulnerability and will be addressing the issue publicly. Due to the  
low exploitability of the vulnerability, a patch will be released at  
the module maintainer's earliest convenience.  
  
- --   
Ubani Anthony Balogun  
Information Security and Unix Services  
University of Pennsylvania  
School of Arts and Sciences  
3600 Market St.  
Suite 501  
Philadelphia, PA 19104  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1  
  
iQEcBAEBAgAGBQJT39byAAoJEKwVbF01qrx/ARkIALJ47sXGIIWhrFB5SjZ8M6z6  
JPDmHkxwcbYrmnrbRJ4EMcqWzjMXfW16ab+UYAhBGqtRnT3SMwKFiyjsleM6L80+  
Z6Jm1Oc3DkZyM/bba20en0+HPSKxmZGpgFCYPUpwaSF29VePVf66pvYxrktXnpFI  
dcwUFsPORYOSVaWhRnTGfWuu+hnl24ZYORqSvD/frLnZRAh0ZiRR7cJ07KWDOLRY  
C1NdvSaW2VK3WQMARy9Jnjzo8Ea1Df/AQY2QHu1H3SHjvEn5lqrXL967uWUsmNmv  
UKArb/xZlePn0mlPg+RtW/qNrJgniSZvDVMJXfyjuGDdQgOoQ4qWSBuHwaujogE=  
=+UCp  
-----END PGP SIGNATURE-----  
  
  
`