exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Drupal String Overrides Cross Site Scripting

Drupal String Overrides Cross Site Scripting
Posted Nov 10, 2011
Authored by Justin C. Klein Keane

Drupal version 6.20 with String Overrides version 6.x-1.8 and Drupal version 5.21 with String Overrides version 5.x-1.8 suffer from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 4886ee54f2d7167744489a6e50bdf6359d0772cfb3bb6eedc3e6b62a29164bf5

Drupal String Overrides Cross Site Scripting

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vulnerability Report

Reported to Vendor: March 16, 2011 15:25 EST


Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL. The Drupal String Overrides module
(http://drupal.org/project/stringoverrides) "Provides a quick and easy
way to replace any text on the site." The module is intended as a
lightweight translation module. Unfortunately the String Overrides
module contains functionality that allows users to inject arbitrary
code into translations of terms that are not sanitized by other
modules (including Drupal core).

Systems affected:
- -----------------
Drupal 6.20 with String Overrides 6.x-1.8 and Drupal 5.21 with String
Overrides 5.x-1.8 were tested and shown to be vulnerable. Drupal 7.0
with String Overrides 7.x-1.0 was tested and not found to be
vulnerable. The demonstrated attack vector may affect other modules
that trust input from translation files.

Impact
- ------
Malicious users could inject arbitrary scripts into pages affecting
site administrators. This could result in administrative account
compromise leading to web server process compromise. An attacker
could also inject hidden content (such as iframes, applets, or
embedded objects) that would attack client browsers in an attempt to
compromise site users' machines. This vulnerability could also be
used to launch cross site request forgery (XSRF) attacks against the
site that could have other unexpected consequences.

Mitigating factors:
- -------------------
In order to exploit this vulnerability the attacker must have
credentials to an authorized account that has been assigned the
'administer string overrides' permission. This could be accomplished
via social engineering, brute force password guessing, or abuse or
legitimate credentials.

Proof of Concept:
- -----------------
1. Install Drupal and enable the String Overrides module
2. Navigate to the 'String Overrides' page at
?q=admin/settings/stringoverrides
3. Enter a new value with the Original set to "Optional" and the
Replacement set to "Optional<script>alert('xss');</script>"
4. Click the 'Save configuration' button
5. View rendered JavaScript at the Page content type management
screen ?q=admin/content/node-type/page

There are a number of other strings that are vulnerable to this type
of injection at various locations throughout the Drupal administrative
interface. This attack can also be accomplished by importing a
malicious language file at ?q=admin/settings/stringoverrides/import

Patch:
- ------------------------------------------
The Drupal core Translation module will fail to import language files
(.po or .pot) if illegal HTML characters are contained within them.
It is reasonable to strip HTML out of imported translation strings.
The following patch accomplishes this functionality in Drupal 6:

- --- stringoverrides/stringoverrides.admin.inc 2010-08-22
16:36:43.000000000 -0400
+++ stringoverrides/stringoverrides.admin.inc 2011-03-16
15:17:11.502256648 -0400
@@ -87,7 +87,7 @@ function stringoverrides_admin_submit($f
if (!empty($string['original'])) {
// Get rid of carriage returns.
list($orig, $replace) = str_replace("\r", '',
array($string['original'], $string['replacement']));
- - $words[$string['enabled']][$orig] = $replace;
+ $words[$string['enabled']][$orig] = filter_xss($replace);
}
}

@@ -296,7 +296,7 @@ function stringoverrides_admin_import_su
// Clean up and save the imported data
fclose($handle);
file_delete($file->filepath);
- - variable_set('locale_custom_strings_'.
$form_state['values']['lang'], $overrides);
+ variable_set('locale_custom_strings_'.
$form_state['values']['lang'], array_map('filter_xss',$overrides));
drupal_set_message(t('The overrides have been imported.'));
}
}

Vendor Response
- ---------------
Vendor intends to release a public service announcement
(https://drupal.org/security/psa).

- --
Justin Klein Keane
http://www.MadIrish.net

The digital signature on this e-mail may be confirmed using the
PGP key located at: http://www.madirish.net/gpgkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iPwEAQECAAYFAk670YgACgkQkSlsbLsN1gD2gAb/Um2Aw1ag9k9nFtbVguBeaas3
MIPwic2Y2mO8S6agkwgxMI8YaryfgdyzB/uj+dAML+Cjzwp0W+qeSohhKSXoxEHs
9geSskeWHKNMVTPJwyOwM8uF7bBITcFbR2eEGtUZfzmm6SDzVklyC+pmOFYHz30Y
cJ7LyGteFigXmpyTJAUnoyD7bHOz4d9UYmz4KwBkOSPN+sGjBOdXvosAr3CyX/Sl
bAyQkw3iqNWEJlU6rYRmd2usOl/M8N5MW8gilS9EEfLaotIRHA1acvu4S75Ib8dq
H2xCoabhzcDBXYa+lVk=
=vS5x
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    20 Files
  • 31
    Jan 31st
    31 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close