Exploit the possiblities

CurvyCorners Cross Site Scripting

CurvyCorners Cross Site Scripting
Posted Jan 24, 2013
Authored by Stephan Rickauer | Site csnc.ch

CurvyCorners module versions 6.x-1.x and 7.x-1.x suffer from a cross site scripting vulnerability.

tags | advisory, xss
advisories | CVE-2013-1393
MD5 | 31d2dcbf263066bcf88396d8fc0ce3c0

CurvyCorners Cross Site Scripting

Change Mirror Download
#############################################################
#
# COMPASS SECURITY ADVISORY http://www.csnc.ch/
#
#############################################################
#
# CVE ID : CVE-2013-1393
# CSNC ID: CSNC-2013-002
# Product: Drupal CurvyCorners
# Vendor: Drupal
# Subject: Cross-site Scripting - XSS
# Risk: High
# Effect: Remotely exploitable
# Author: Stephan Rickauer (stephan.rickauer _at_ csnc.ch)
# Date: January 23rd 2013
#
#############################################################


Introduction:
-------------
Compass Security discovered a web application security flaw in the
CurvyCorners module of the Drupal CMS.


Vulnerable:
-----------
All CurvyCorners 6.x-1.x versions.
All CurvyCorners 7.x-1.x versions.


Not vulnerable:
---------------
unknown


Fix/Patches:
------------
If you use the CurvyCorners module, uninstall the module - there is no
patch available to fix this issue. The module is no longer supported.


Description:
------------
The CurvyCorners module enables you to create rounded corners on HTML
block elements. The module doesn't sufficiently filter user entered
text when being displayed. This vulnerability is mitigated by the fact
that an attacker must have a role with the permission "administer
curvycorners". Exploiting this vulnerability will lead to so-called
cross-site scripting (XSS) and allows the impersonation of logged-in
Drupal users.


Milestones:
-----------
December 14th 2012 Vulnerability discovered
December 14th 2012 Vendor contact established
December 14th 2012 Vendor acknowledged issue
January 17th 2013 CVE ID assigned by MITRE
January 23rd 2013 Public release of advisory by vendor


References:
-----------
XSS reference:
http://en.wikipedia.org/wiki/Cross-site_scripting
Cross-site scripting (XSS) is a type of computer security vulnerability
typically found in web applications which allow code injection by
malicious web users into the web pages viewed by other users. Examples
of such code include HTML code and client-side scripts. An exploited
cross-site scripting vulnerability can be used by attackers to bypass
access controls such as the same origin policy. Recently,
vulnerabilities of this kind have been exploited to craft powerful
phishing attacks and browser exploits.

Drupal SA-CONTRIB-2013-008:
http://drupal.org/node/1896718


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    5 Files
  • 21
    Jan 21st
    1 Files
  • 22
    Jan 22nd
    15 Files
  • 23
    Jan 23rd
    12 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close