Lucene search
+L

Drupal CCK Cross Site Scripting

🗓️ 19 May 2009 00:00:00Reported by Justin C. Klein KeaneType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 104 Views

Drupal CCK Cross Site Scripting vulnerability in Drupal 6.12 with CCK 6.x-2.

Code
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Vendor Notified: 05/18/09  
Vendor Response: Karoly Negyesi of Drupal security denies issue exists.  
Drupal security has responded to reports of CCK based XSS  
vulnerabilities in past with http://drupal.org/node/372836, which  
basically shirks the issue. Although a problem clearly exists, Drupal  
seems unconcerned with fixing it, instead semantically hiding the  
vulnerability behind a reclassification of permissions that appears only  
in SA-CORE-2009-002 rather than in either the Drupal interface or  
documentation.  
  
Details of this report are also published at  
http://lampsecurity.org/drupal-cck-xss-vulnerability  
  
Description of Vulnerability:  
- -----------------------------  
Drupal (http://drupal.org) is a robust content management system (CMS)  
written in PHP and MySQL that provides extensibility through hundreds of  
third party modules. The Drupal Content Creation Kit (CCK) is a module  
that allows site maintainers to modify content types by associating  
custom fields with specific content types. The Drupal CCK module  
contains a vulnerability that could allow an authenticated attacker to  
inject arbitrary script into administration screens for content types.  
This could allow an attacker to issue a cross site scripting (XSS)  
attack against Drupal users with elevated privilege levels.  
  
Systems affected:  
- -----------------  
Drupal 6.12 with CCK 6.x-2.2 was tested and shown to be vulnerable  
  
Mitigating factors:  
- -------------------  
CCK must be installed and enabled. Attacker must have 'administer  
content types' permissions in order to exploit this vulnerability.  
  
Proof of concept:  
- -----------------  
1. Install Drupal 6.12.  
2. Install CCK and enable all CCK functionality through dminister ->  
Modules  
3. Click on Administer -> Content management -> Content types  
4. Select a type and click the 'manage fields' operation  
5. Click 'edit' to edit the node-type  
6. Expand the 'Submission form settings' input area  
7. Fill in "<script>alert('title');<;/script>" for the "Title field label"  
8. Fill in "<script>alert('body');</script>" for the "Body field label"  
9. Click 'Save content type'  
10. Click Administer -> Content Management -> Content types  
11. Click "manage fields" link for the type selected in #4 above  
12. Observe two JavaScript alerts  
  
- --  
Justin C. Klein Keane  
http://www.MadIrish.net  
http://www.LAMPSecurity.org  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.7 (MingW32)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org  
  
iQD1AwUBShHDh5EpbGy7DdYAAQKbfgcAijtPqazvwOhltQmuep/+tP1scvmaifGa  
keMcKb7pTyP/GVJxrPoUeCif287myaD25jwL4P3SVS4+cUgTbWbwZGRc5QZdk8Kd  
E6GV05WL7Ufo7bmqPecOj4QuiYD7zl/dFX8o188nViqmvB8xnQqRYywL3wRhPSI7  
suDuEAeCNKxr5IGzNs5mS6ZaF/gQRF7KKt2yKwlv/MDhvf0uwRU0hfpJ+MLTbCbf  
wJNhXoG3aT00prXgmBxsTSzAMBhp4tG2ufBc1aLRYn26lCoBUNO9a3mk+a+xiKQb  
TtEDePFbRIw=  
=cfte  
-----END PGP SIGNATURE-----  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

19 May 2009 00:00Current
104