http://www.theregister.co.uk/2010/05/10/drupal_security_bug/ By Dan Goodin in San Francisco The Register 10th May 2010 A researcher has uncovered a potentially serious vulnerability in the open-source content management system used by the White House website and thousands of other sites. The XSS, or cross-site scripting, bug resides in the Drupal Context module, a plug-in that Whitehouse.gov and about 10,000 other sites use to manage how content is viewed on their sites. According to an advisory published Monday by researcher Justin Klein Keane, the flaw allows attackers to inject malicious scripts into login pages that will reset the site's administrative password. The discovery is notable because it comes less than three weeks after the White House released a plug-in of its own that requires use of the vulnerable Context module. It raises questions about the level of review carried out by the people who coded the Context HTTP Headers module. Administration officials installed it on the sensitive Obama website and released it to great fanfare in late April at the DrupalCon conference in San Francisco. "My worry is that they just launched this revamped Drupal site and it doesn't look like anybody did a serious security audit," said a security researcher who has reviewed the bug and asked that his name not be used in this article. "You can find this hole without much digging, but who knows what else may or may not be there. If one had done that kind of vulnerability assessment even casually, you would expect you would uncover these kinds of things." [...] _______________________________________________ Best Selling Security Books and More! Shop InfoSec News http://www.shopinfosecnews.org/Received on Mon May 10 2010 - 22:30:51 PDT
This archive was generated by hypermail 2.2.0 : Mon May 10 2010 - 22:40:38 PDT