`-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Vendor Notified: 05/18/09
Vendor Response: Karoly Negyesi of Drupal security denies issue exists.
Drupal security has responded to reports of CCK based XSS
vulnerabilities in past with http://drupal.org/node/372836, which
basically shirks the issue. Although a problem clearly exists, Drupal
seems unconcerned with fixing it, instead semantically hiding the
vulnerability behind a reclassification of permissions that appears only
in SA-CORE-2009-002 rather than in either the Drupal interface or
documentation.
Details of this report are also published at
http://lampsecurity.org/drupal-cck-xss-vulnerability
Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through hundreds of
third party modules. The Drupal Content Creation Kit (CCK) is a module
that allows site maintainers to modify content types by associating
custom fields with specific content types. The Drupal CCK module
contains a vulnerability that could allow an authenticated attacker to
inject arbitrary script into administration screens for content types.
This could allow an attacker to issue a cross site scripting (XSS)
attack against Drupal users with elevated privilege levels.
Systems affected:
- -----------------
Drupal 6.12 with CCK 6.x-2.2 was tested and shown to be vulnerable
Mitigating factors:
- -------------------
CCK must be installed and enabled. Attacker must have 'administer
content types' permissions in order to exploit this vulnerability.
Proof of concept:
- -----------------
1. Install Drupal 6.12.
2. Install CCK and enable all CCK functionality through dminister ->
Modules
3. Click on Administer -> Content management -> Content types
4. Select a type and click the 'manage fields' operation
5. Click 'edit' to edit the node-type
6. Expand the 'Submission form settings' input area
7. Fill in "<script>alert('title');<;/script>" for the "Title field label"
8. Fill in "<script>alert('body');</script>" for the "Body field label"
9. Click 'Save content type'
10. Click Administer -> Content Management -> Content types
11. Click "manage fields" link for the type selected in #4 above
12. Observe two JavaScript alerts
- --
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQD1AwUBShHDh5EpbGy7DdYAAQKbfgcAijtPqazvwOhltQmuep/+tP1scvmaifGa
keMcKb7pTyP/GVJxrPoUeCif287myaD25jwL4P3SVS4+cUgTbWbwZGRc5QZdk8Kd
E6GV05WL7Ufo7bmqPecOj4QuiYD7zl/dFX8o188nViqmvB8xnQqRYywL3wRhPSI7
suDuEAeCNKxr5IGzNs5mS6ZaF/gQRF7KKt2yKwlv/MDhvf0uwRU0hfpJ+MLTbCbf
wJNhXoG3aT00prXgmBxsTSzAMBhp4tG2ufBc1aLRYn26lCoBUNO9a3mk+a+xiKQb
TtEDePFbRIw=
=cfte
-----END PGP SIGNATURE-----
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation