[Full-disclosure] Drupal 6.12 (core) User Module XSS Vulnerability
- From: Justin Klein Keane <justin@xxxxxxxxxxxx>
- Date: Tue, 19 May 2009 18:30:45 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Details of this disclosure have been posted at
Vendor Notified: 05/19/09
Vendor Response: Drupal security team responds that this vulnerability
has been publicly disclosed since October 2, 2008 and it is not
considered a "security risk." Ref: http://drupal.org/node/316136.
Description of Vulnerability
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through hundreds of
third party modules. The user module is provided as part of the Drupal 6
core modules and contains a cross site scripting (XSS) vulnerability
that can allow users with the 'administer permissions' permission to
inject arbitrary HTML into role names. Users with 'administer
permissions' permission could create new roles containing malicious
this permission could elevate the permissions of their own role using
permissions they have been granted, this flaw could allow for a
"stealth" attack vector.
Drupal 6.12 was tested and shown to be vulnerable
Authenticated users with 'administer permissions' can exploit this
vulnerability to attack other users with privileges to view roles.
Attacker must have 'administer permissions' permissions in order to
exploit this vulnerability. Having this permission would allow a user to
elevate permissions of their own role so this vulnerability would
represent a more subtle attack vector.
Proof of concept:
1. Install Drupal 6.12.
2. Click Administer -> User management -> Roles
3. Enter "<script>alert('xss');</script>" in the "Name" textarea
4. Click the "Add Role" button
Note that this XSS affects several other functions in the Drupal 6
administrative back end.
Justin C. Klein Keane
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Prev by Date: [Full-disclosure] [USN-777-1] Ntp vulnerabilities
- Next by Date: [Full-disclosure] STEAM (Valve) - Phishing and Cross-site Scripting in internal browser
- Previous by thread: [Full-disclosure] [USN-777-1] Ntp vulnerabilities
- Next by thread: [Full-disclosure] STEAM (Valve) - Phishing and Cross-site Scripting in internal browser