-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Details of this disclosure have been posted at http://lampsecurity.org/drupal-role-xss-vulnerability
Vendor Notified: 05/19/09 Vendor Response: Drupal security team responds that this vulnerability has been publicly disclosed since October 2, 2008 and it is not considered a "security risk." Ref: http://drupal.org/node/316136.
Description of Vulnerability
Drupal 6.12 was tested and shown to be vulnerable
Authenticated users with 'administer permissions' can exploit this vulnerability to attack other users with privileges to view roles.
Attacker must have 'administer permissions' permissions in order to exploit this vulnerability. Having this permission would allow a user to elevate permissions of their own role so this vulnerability would represent a more subtle attack vector.
Proof of concept:
Note that this XSS affects several other functions in the Drupal 6 administrative back end.
Justin C. Klein Keane http://www.MadIrish.net http://LAMPSecurity.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org
iPwEAQECAAYFAkoTMxUACgkQkSlsbLsN1gCj7gb+J8Dtp8UkC/JvWlqjNvq0Geoy 2iBxGZc98m4DLGf6wqeQ5aeEMUMvITEB6MA3AKfha6p55fnL3Y3eQoydCM8CeKkB Zianya35NiJfZnAvesAYJuvYCGZHs7prSg3FhFHsLCEAXv1oWb6yAbGXK6dxGd+7 ljeMOjfKCvRbcFq+Pf9WsCBSXp++5MrVU1Tfz8MH4Q62Ku6ln42ZqC5v4exrG4vR THmPaIL74M0vxJbv/gvvXkEOplEvGyWUn20GDiMjk+tzJLQw76JvUt+VlBXdI0mB Wb1QZJnu1lAqK1SDYOU= =J8AK -----END PGP SIGNATURE-----
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/