[ISN] White House devs overlooked gaping Drupal vuln

From: InfoSec News <alerts_at_private>
Date: Tue, 11 May 2010 00:30:51 -0500 (CDT)

By Dan Goodin in San Francisco 
The Register
10th May 2010

A researcher has uncovered a potentially serious vulnerability in the 
open-source content management system used by the White House website 
and thousands of other sites.

The XSS, or cross-site scripting, bug resides in the Drupal Context 
module, a plug-in that Whitehouse.gov and about 10,000 other sites use 
to manage how content is viewed on their sites. According to an advisory 
published Monday by researcher Justin Klein Keane, the flaw allows 
attackers to inject malicious scripts into login pages that will reset 
the site's administrative password.

The discovery is notable because it comes less than three weeks after 
the White House released a plug-in of its own that requires use of the 
vulnerable Context module. It raises questions about the level of review 
carried out by the people who coded the Context HTTP Headers module. 
Administration officials installed it on the sensitive Obama website and 
released it to great fanfare in late April at the DrupalCon conference 
in San Francisco.

"My worry is that they just launched this revamped Drupal site and it 
doesn't look like anybody did a serious security audit," said a security 
researcher who has reviewed the bug and asked that his name not be used 
in this article. "You can find this hole without much digging, but who 
knows what else may or may not be there. If one had done that kind of 
vulnerability assessment even casually, you would expect you would 
uncover these kinds of things."


Best Selling Security Books and More!
Shop InfoSec News
Received on Mon May 10 2010 - 22:30:51 PDT

This archive was generated by hypermail 2.2.0 : Mon May 10 2010 - 22:40:38 PDT