exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Drupal Book Block 6.x-1.0-beta1 Cross Site Scripting

Drupal Book Block 6.x-1.0-beta1 Cross Site Scripting
Posted Jul 11, 2012
Authored by Zach Alexander

Drupal version 6.26 with Book Block version 6.x-1.0-beta1 suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | f9634f63ca64e4955a6dcb078fc3edf1f92c7055f4d7d300f83c4c36269e47a6

Drupal Book Block 6.x-1.0-beta1 Cross Site Scripting

Change Mirror Download
Drupal Book Block 6.x-1.0-beta1 XSS Vulnerability

Posted by zalexander on July 9, 2012 at 2:44pm

Project: Book Block
Version: 6.x-1.0-beta1
Component: Code
Category: bug report
Priority: major
Assigned: mcjim
Status: fixed
Issue tags: patch, security, vulnerability, xss

Issue Summary

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL.
The Drupal Book Block module (https://drupal.org/project/bookblock) allows users to create a
block on their page that can generate an individual menu block for each of a site's books.
These blocks can then be administered as any other block to appear on the pages you choose.
The Book Block module contains a persistent script injection vulnerability (XSS) on its admin
page that fails to properly sanitize the titles of books.
Systems Affected:

Drupal 6.26 with Book Block 6.x-1.0-beta1 was tested and shown to be vulnerable.

Impact:

Users who have the ability to create books on the website can inject arbitrary script into
book titles. This script will execute whenever a user navigates to /admin/content/book/blocks.
This could lead to privilege escalation, account compromise or other attacks. This exploit
affects

Mitigating Factors:

In order to insert a malicious script into the database, access to a valid user account with
the ability to create Book nodes is required.

Proof of Concept:

1. Install and enable the Book Block module
2. Navigate to /node/add and click "Book page" to create a new book page
3. Enter '<script>alert('XSS Vulnerablity')</script>' into the "title" field, then fill in the "body" field arbitrarily and press "Save"
4. Navigate to /admin/content/book/blocks to view the rendered JavaScript

Patch:

The following patch mitigates this vulnerability:

$ diff -ruN bookblock.admin.inc patchedbookblock.admin.inc
--- bookblock.admin.inc 2010-07-01 08:31:50.000000000 -0400
+++ patchedbookblock.admin.inc 2012-07-06 11:07:49.956360960 -0400
@@ -13,7 +13,7 @@
* @ingroup forms
*/
function bookblock_admin_settings() {
- $books = book_get_books();
+ $books = array_map("check_plain",book_get_books());
if ($books) {
foreach ($books as $book) {
if (!$book['has_children']) {
@@ -31,4 +31,4 @@
$form['array_filter'] = array('#type' => 'value', '#value' => TRUE);
return system_settings_form($form);
}
-}
\ No newline at end of file
+}

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close