ID PACKETSTORM:85121 Type packetstorm Reporter Martin Barbella Modified 2010-01-14T00:00:00
Description
`XSS Vulnerability in Drupal's Node Blocks contributed module (6.x-1.3
and 5.x-1.1)
Discovered by Martin Barbella <martybarbella@gmail.com>
Description of Vulnerability:
-----------------------------
Drupal is a free software package that allows an individual or a
community of users to easily publish, manage and organize a wide
variety of content on a website. (From: http://drupal.org/about)
The Node Blocks module allows users to specify content type(s) as
being a block. This allows the content managers of the site to edit
the block text and title without having to access the block
administration page. (From: http://drupal.org/project/nodeblock)
The block title is not properly sanitized when a user displays a block
created from a node, resulting in a cross site scripting
vulnerability.
Systems affected:
-----------------
This has been confirmed in Node Blocks 6.x-1.3 and 5.x-1.1. Previous
versions may also be affected.
Impact:
-------
This is an example of a stored cross site scripting vulnerability.
Stored attacks are those where the injected code is permanently stored
on the target servers, such as in a database, in a message forum,
visitor log, comment field, etc. The victim then retrieves the
malicious script from the server when it requests the stored
information. (From OWASP:
http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29)
Mitigating factors:
-------------------
A user must be able to create nodes of a type used by Node Blocks, and
this node must be added as a block by a user with the administer
blocks permission.
Proof of concept:
-----------------
1. Install the Node Blocks module
2. Create a content type with available as block enabled
3. As a user with permission to create nodes of this type, create a
node with the title "<script>alert('XSS')</script>"
4. As a user that can administer blocks, add this block to a region
5. Note that an alert box will be displayed when the block is
generated on a page
Solution:
---------
Install version 6.x-1.4 or 5.x-1.2 of the Node Blocks module.
Timeline:
---------
2009-12-29 - Drupal Security notified.
2010-01-13 - Security announcement released on drupal.org
(http://drupal.org/node/683598)
Credit:
-------
This vulnerability was reported by Martin Barbella to Khalid
Baheyeldin at Drupal Security, and fixed by Thomas Turnbull.
`
{"type": "packetstorm", "published": "2010-01-14T00:00:00", "reporter": "Martin Barbella", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "9314f5c8dbb27faf5283051ab7b08e4a"}, {"key": "modified", "hash": "cac1bd3d53dca505f5807331b67d74e6"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "cac1bd3d53dca505f5807331b67d74e6"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "9d77bb934cf72cd3662bc3d66f988381"}, {"key": "sourceData", "hash": "eab4cea290dd1024c9e48a5b11e02e25"}, {"key": "sourceHref", "hash": "b4ef6c5f886b215acc3228191b3b1606"}, {"key": "title", "hash": "e75582343fb31a6d12f878d7806b7962"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "bulletinFamily": "exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceData": "`XSS Vulnerability in Drupal's Node Blocks contributed module (6.x-1.3 \nand 5.x-1.1) \n \nDiscovered by Martin Barbella <martybarbella@gmail.com> \n \nDescription of Vulnerability: \n----------------------------- \nDrupal is a free software package that allows an individual or a \ncommunity of users to easily publish, manage and organize a wide \nvariety of content on a website. (From: http://drupal.org/about) \n \nThe Node Blocks module allows users to specify content type(s) as \nbeing a block. This allows the content managers of the site to edit \nthe block text and title without having to access the block \nadministration page. (From: http://drupal.org/project/nodeblock) \n \nThe block title is not properly sanitized when a user displays a block \ncreated from a node, resulting in a cross site scripting \nvulnerability. \n \n \nSystems affected: \n----------------- \nThis has been confirmed in Node Blocks 6.x-1.3 and 5.x-1.1. Previous \nversions may also be affected. \n \n \nImpact: \n------- \nThis is an example of a stored cross site scripting vulnerability. \nStored attacks are those where the injected code is permanently stored \non the target servers, such as in a database, in a message forum, \nvisitor log, comment field, etc. The victim then retrieves the \nmalicious script from the server when it requests the stored \ninformation. (From OWASP: \nhttp://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29) \n \n \nMitigating factors: \n------------------- \nA user must be able to create nodes of a type used by Node Blocks, and \nthis node must be added as a block by a user with the administer \nblocks permission. \n \n \nProof of concept: \n----------------- \n1. Install the Node Blocks module \n2. Create a content type with available as block enabled \n3. As a user with permission to create nodes of this type, create a \nnode with the title \"<script>alert('XSS')</script>\" \n4. As a user that can administer blocks, add this block to a region \n5. Note that an alert box will be displayed when the block is \ngenerated on a page \n \n \nSolution: \n--------- \nInstall version 6.x-1.4 or 5.x-1.2 of the Node Blocks module. \n \n \nTimeline: \n--------- \n2009-12-29 - Drupal Security notified. \n2010-01-13 - Security announcement released on drupal.org \n(http://drupal.org/node/683598) \n \n \nCredit: \n------- \nThis vulnerability was reported by Martin Barbella to Khalid \nBaheyeldin at Drupal Security, and fixed by Thomas Turnbull. \n \n`\n", "viewCount": 3, "history": [], "lastseen": "2016-11-03T10:18:45", "objectVersion": "1.2", "href": "https://packetstormsecurity.com/files/85121/Drupals-Node-Blocks-Cross-Site-Scripting.html", "sourceHref": "https://packetstormsecurity.com/files/download/85121/drupalnb-xss.txt", "title": "Drupal's Node Blocks Cross Site Scripting", "enchantments": {"score": {"value": -0.4, "vector": "NONE", "modified": "2016-11-03T10:18:45"}, "dependencies": {"references": [], "modified": "2016-11-03T10:18:45"}, "vulnersScore": -0.4}, "references": [], "id": "PACKETSTORM:85121", "hash": "2e75d9d944aac90a2f9c2027bc422a73678bf167e5f3dfea83201b6c1c04e2f3", "edition": 1, "cvelist": [], "modified": "2010-01-14T00:00:00", "description": ""}