exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Drupal Activity 6.x XSS Proof Of Concept

Drupal Activity 6.x XSS Proof Of Concept
Posted Mar 29, 2012
Authored by Justin C. Klein Keane | Site drupal.org

This file documents a proof of concept to demonstrate the cross site scripting vulnerability in the Drupal Activity module version 6.x.

tags | exploit, xss, proof of concept
SHA-256 | 21cff53d4151dcb6cd0a86095cfb274645d44512ecad08ffa9a0c5beb8eac1e5

Drupal Activity 6.x XSS Proof Of Concept

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Exploit for bespoke:

* Install and enable the Activity and Flag modules
* Add a new Flag with an arbitrary name at ?q=admin/build/flags/add
* On the resulting page (?q=admin/build/flags/add/node/[name]) enter
"<script>alert('xss');</script>" for the flag Title
* View the rendered Javascript at /?q=admin/settings/activity/flagactivity

* As above
* Alter the "Comment: Insert:" field in the "Message visible to the
"All" role" fieldgroup at ?q=admin/settings/activity/commentactivity
to insert the text "<script>alert('xss');</script>"
* Move the "Activity (All): show all recent activity" block to a
visible content region at ?q=admin/build/block
* Create a story at ?q=node/add/story
* Log out
* As anonymous user add a comment at ?q=comment/reply/X#comment-form
where X is the nid of the story from step #4
* Submit the comment to view the rendered JavaScript alert in the
Activity block or log back in to see the JavaScript at ?q=activity

Patch:

The following patch mitigates the above vulnerabilities.

- --- activity/activity.module 2009-04-26 21:45:25.000000000 -0400
+++ activity.fixed/activity.module 2012-01-26 06:34:56.014821191 -0500
@@ -311,7 +311,7 @@ function activity_module_settings(&$form
'#type' => 'checkboxes',
'#title' => t('Token types'),
'#description' => t('Select the token types that you wish to
record activity from.'),
- - '#options' => $info['types'],
+ '#options' => array_map("filter_xss", $info['types']),
'#default_value' => variable_get($module .'_token_types',
array_keys($info['types'])),
'#attributes' => array('class' => 'activity-token-types'),
);
@@ -350,7 +350,7 @@ function activity_module_settings(&$form
if (count($types) > 1) {
$form[$module][$role_name][$type_name] = array(
'#type' => 'fieldset',
- - '#title' => t($type),
+ '#title' => filter_xss(t($type)),
'#collapsible' => TRUE,
'#collapsed' => TRUE,
);
@@ -1034,7 +1034,7 @@ function activity_token_replace($activit
activity_invoke_activityapi($activity, 'render');
$message = token_replace($pattern, $module, $data);
$message = token_replace($message, 'activity', $data);
- - return $message;
+ return filter_xss($message);
}
}


Justin Klein Keane
http://www.MadIrish.net
Login or Register to add favorites

File Archive:

March 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    13 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    31 Files
  • 8
    Mar 8th
    16 Files
  • 9
    Mar 9th
    13 Files
  • 10
    Mar 10th
    9 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    10 Files
  • 14
    Mar 14th
    6 Files
  • 15
    Mar 15th
    17 Files
  • 16
    Mar 16th
    22 Files
  • 17
    Mar 17th
    13 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    16 Files
  • 21
    Mar 21st
    13 Files
  • 22
    Mar 22nd
    5 Files
  • 23
    Mar 23rd
    6 Files
  • 24
    Mar 24th
    47 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    50 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    7 Files
  • 30
    Mar 30th
    31 Files
  • 31
    Mar 31st
    15 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close