Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Drupal 6.x Core XSS

🗓️ 17 Dec 2009 00:00:00Reported by Justin C. Klein KeaneType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 25 Views

Drupal 6.x Core XSS vulnerabilit

Code
`The full text of this advisory can be found at  
http://www.madirish.net/?article=442  
  
Description of Vulnerability:  
- - -----------------------------  
Drupal (http://drupal.org) is a robust content management system (CMS)  
written in PHP and MySQL that provides extensibility through various third  
party modules. The Locale module "Enables the translation of the user  
interface to languages other than English." The Local module is one of the  
Drupal core modules, distributed with every Drupal site, but not enabled by  
default.  
  
Systems affected:  
- - -----------------  
Drupal 6.14 was tested and shown to be vulnerable.  
  
Impact:  
- - -------  
XSS vulnerabilities may expose site administrative accounts to compromise  
which could lead to web server process compromise.  
  
Mitigating factors:  
- - -------------------  
To carry out the XSS exploit below the attacker must have 'administer  
languages' permissions.  
  
Proof of Concept:  
- ---------------------  
1. Install Drupal 6.14 and enable the Locale module from Administer ->  
Modules  
2. Click Administer -> Site configuration -> Languages  
3. Click 'Add language'  
4. Expand the form area by clicking 'Custom language'  
5. Enter "<script>alert('xss1');</script>" in the 'Language name in  
English' text area  
6. Enter "<script>alert('xss2');</script>" in the 'Native language name'  
text area  
7. Enter arbitrary values for 'Direction' and click the 'Add custom  
language' button  
8. Click Administer -> User management -> Users  
9. Click the 'Add user' button to observe the rendered JavaScript  
  
Technical details:  
- ------------------------  
The locale module fails to sanitize the output of the language name and  
native language name before display. Applying the following patch fixes  
this vulnerability.  
  
Patch  
- -------  
Applying the following patch mitigates these threats.  
  
--- modules/locale/locale.module 2009-02-25 06:47:37.000000000 -0500  
+++ modules/locale/locale.module 2009-11-11 14:26:40.704648132 -0500  
@@ -229,7 +229,7 @@ function locale_user($type, $edit, &$use  
'#type' => (count($names) <= 5 ? 'radios' : 'select'),  
'#title' => t('Language'),  
'#default_value' => $user_preferred_language->language,  
- '#options' => $names,  
+ '#options' => array_map('filter_xss', $names),  
'#description' => ($mode == LANGUAGE_NEGOTIATION_PATH) ? t("This  
account's default language for e-mails, and preferred language for site  
presentation.") : t("This account's default language for e-mails."),  
);  
return $form;  
  
Vendor Response  
---------------  
Upgrade to the latest version.  
  
  
--   
Justin C. Klein Keane  
http://www.MadIrish.net  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Dec 2009 00:00Current
0.1Low risk
Vulners AI Score0.1
drupal cmsxssmysqllocale moduleuser interfaceadminister languages permissionspatchupgrade
25