Re: [Full-disclosure] XSS in Drupal Better Formats Module

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I did not apply for a CVE identifier because there are folks who would
argue that the conditions described below do not qualify as a
"vulnerability." I must confess I'm ignorant of the CVE guidelines
surrounding such a situation. Any further information or clarification
would be greatly appreciated.

Justin C. Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey

On 04/27/2010 01:09 PM, Henri Salo wrote:
On Tue, 27 Apr 2010 12:07:17 -0400
"Justin C. Klein Keane" <justin@xxxxxxxxxxxx> wrote:

Description of Vulnerability:
-----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL. The Drupal Better Formats module
(http://drupal.org/project/better_formats) contains a cross site
scripting (XSS) vulnerability due to the fact that it fails to
sanitize format names before display.

Systems affected:
-----------------
Drupal 6.16 with Better Formats 6.x-1.2 was tested and shown to be
vulnerable

Impact
------
User could inject arbitrary scripts into pages affecting site users.
This could result in administrative account compromise leading to web
server process compromise.

Mitigating factors:
-------------------
In order to execute arbitrary script injection malicious users must
have 'Administer filters' permission. The Drupal security team has
classified vulnerabilities that require this permission
(http://drupal.org/node/475848) as "display bugs" because access to
this permission allows for alteration of input specifications that
could allow users with permissions to create content to craft
arbitrary PHP. However, in a situation where a user had "administer
filters" permission but could not create content this vulnerability
could be used to attack other Drupal users.

Patch:
------------------------------------------
Applying the following patch mitigates this issue in version 6.x-1.2.

--- better_formats/better_formats.module 2010-02-05
08:59:18.000000000 -0500
+++ better_formats/better_formats.module 2010-04-27
11:35:53.444189426 -0400 @@ -537,7 +537,7 @@ function
better_formats_filter_form($val

$form = array(
'#type' => 'fieldset',
- '#title' => $fieldset_title,
+ '#title' => check_plain($fieldset_title),
'#collapsible' => $collapsible,
'#collapsed' => $collapsed,
'#weight' => $weight,
@@ -551,7 +551,7 @@ function better_formats_filter_form($val
$parents_for_id = array_merge($parents,
array($format->format)); $form[$format->format] = array(
'#type' => 'radio',
- '#title' => $format->name,
+ '#title' => check_plain($format->name),
'#default_value' => $default,
'#return_value' => $format->format,
'#parents' => $parents,


Have you requested CVE-identifier for this vulnerability?

---
Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAkvXNdUACgkQkSlsbLsN1gDrdAb/ZauQapPp4xQ25ACnNrEPHU+8
hKoAmpX3fE5Vfwd86ybEZxyXwks0Lj6YXtGcoYzzkNCsmRCLQC1xhw00RlAHiHEp
hTp2gukgdi67KJsRRhoKHV5IKl99uetF/Z7KO6DUkN9v9N33ss/L4JlSn+MQf3Hg
F3zSTvVMudv38+hSGVagOcNRh03iyeAbvG9VqkpKOhRJJ0NlNCa0qizDXRDDvgF3
R/nXKIOkpCUtdCPo9sDdEZzaEQwZlgzRD78E//NJwkKaaBUQeNylCPL3GDRsywYf
K2pPUCdVGEnqsxoEwnY=
=+rXU
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • syslog-ng wrong file permission vulnerability
    ... with all permission bit set by default on FreeBSD and HP-UX ... The syslog-ng application is an enhanced version of the default Syslog ... This vulnerability affects only architectures where sizeofis not ... 2011-01-01: upstream proposed a fix ...
    (Bugtraq)
  • [Full-disclosure] XSS in Drupal Better Formats Module
    ... Description of Vulnerability: ... Drupal 6.16 with Better Formats 6.x-1.2 was tested and shown to be ... 'Administer filters' permission. ... allow users with permissions to create content to craft arbitrary PHP. ...
    (Full-Disclosure)
  • [Full-disclosure] Drupal 6 Views Module XSS Vulnerability
    ... Vendor Response: See below ... Details of this vulnerability are also posted at the public URL ... Attacker must have 'administer views' permissions in order to exploit ... Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org ...
    (Full-Disclosure)
  • Re: [Full-disclosure] XSS in Drupal Better Formats Module
    ... Description of Vulnerability: ... written in PHP and MySQL. ... Drupal 6.16 with Better Formats 6.x-1.2 was tested and shown to be ... have 'Administer filters' permission. ...
    (Full-Disclosure)
  • Re: [Full-disclosure] XSS in Drupal Better Formats Module
    ... It's not a vulnerability, it's a ... [Full-disclosure] XSS in Drupal Better Formats Module ... have 'Administer filters' permission. ...
    (Full-Disclosure)