exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Drupal Custom Pagers Module Cross Site Scripting

Drupal Custom Pagers Module Cross Site Scripting
Posted Jan 31, 2011
Authored by Justin C. Klein Keane

The Drupal Custom Pagers module suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | cab16e3ac4743cefc8da1868c35b89ad4f17bc21940d4376a82f748a39ce0426

Drupal Custom Pagers Module Cross Site Scripting

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL. The Drupal Custom Pagers module
(http://drupal.org/project/custom_pagers) "allows administrators to
define context-sensitive previous/next pagers for any node type." The
Custom Pagers module contains an arbitrary HTML injection vulnerability
(also known as cross site scripting, or XSS) due to the fact that it
fails to sanitize Custom Pagers names before display in the
administrative back end interface.

Systems affected:
- -----------------
Drupal 5.21 with Custom Pagers 5.x-1.9, and Drupal 6.19 with Custom
Pagers 6.x-1.0-beta2 were tested and shown to be vulnerable

Impact
- ------
User could inject arbitrary scripts into pages affecting site users.
This could result in administrative account compromise leading to web
server process compromise. A more likely scenario would be for an
attacker to inject hidden content (such as iframes, applets, or embedded
objects) that would attack client browsers in an attempt to compromise
site users' machines. This vulnerability could also be used to launch
cross site request forgery (XSRF) attacks against the site that could
have other unexpected consequences.

Mitigating factors:
- -------------------
In order to exploit this vulnerability the attacker must have
credentials to an authorized account that has been assigned the
'administer custom pagers' permission. This could be accomplished via
social engineering, brute force password guessing, or abuse or
legitimate credentials.

Proof of concept:
- -----------------
1. Install Drupal, and the Custom Pager module
2. Navigate to the Custom pagers administration page at
?q=admin/build/custom_pagers
3. Click the 'Add a new custom pager' link or go to
?q=admin/build/custom_pagers/add
4. For the 'Title' of the new page enter "<script>alert('xss');</script>"
5. Enter arbitrary values for the rest of the form and click the
'Submit' button
6. Observe the persistent XSS at ?q=admin/build/custom_pagers


Patch:
- ------------------------------------------
Applying the following patch mitigates this issue in version 5.x-1.9

- --- custom_pagers/custom_pagers.module 2007-08-16 09:49:33.000000000 -0400
+++ custom_pagers/custom_pagers.module 2011-01-31 16:33:08.657233745 -0500
@@ -132,7 +132,7 @@ function custom_pagers_page() {
$rows = array();
foreach ($pagers as $pager) {
$row = array();
- - $row[] = $pager->title;
+ $row[] = check_plain($pager->title);
$row[] = !empty($pager->list_php) ? t('PHP snippet') : $pager->view
. t(' view');
$row[] = !empty($pager->visibility_php) ? t('PHP snippet') :
$pager->node_type . t(' nodes');
$row[] = l(t('edit'), 'admin/build/custom_pagers/edit/' .
$pager->pid);


Applying the following patch mitigates this issue in version 6.x-1.0-beta2

- --- custom_pagers/custom_pagers.admin.inc 2010-01-17 17:57:39.000000000
- -0500
+++ custom_pagers/custom_pagers.admin.inc 2011-01-31 16:36:10.967026063
- -0500
@@ -15,7 +15,7 @@ function custom_pagers_page() {
$rows = array();
foreach ($pagers as $pager) {
$row = array();
- - $row[] = $pager->title;
+ $row[] = check_plain($pager->title);
$row[] = !empty($pager->list_php) ? t('PHP snippet') :
t('%view_name view', array('%view_name' => $pager->view));
$row[] = !empty($pager->visibility_php) ? t('PHP snippet') :
t('%node_type nodes', array('%node_type' => $pager->node_type));
$row[] = l(t('edit'), 'admin/build/custom_pagers/edit/' .
$pager->pid);


Vendor Response:
- ------------------------------------------
Drupal security team no longer supports vulnerabilities in Drupal 5 and
explicitly does not support resolution of vulnerabilities in modules
designated alpha, beta, dev, or other testing release. Module
maintainer notified in public forums.

Disclosure also posted at http://www.madirish.net/?article=479

- --
Justin Klein Keane
http://www.MadIrish.net

The digital signature on this e-mail may be confirmed using the
PGP key located at: http://www.madirish.net/gpgkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAk1HMegACgkQkSlsbLsN1gCTigb/Xj3RJjyzB1vYt5mQlhh5UJBe
NA+2mg3zn5t18taTS3Z/tbS5RcchLk2wsf87Afh/MvRDvIJIukkFJtH6X0HXVamx
fz8//sDiriSbz6729i2wLo0cy1ei/rBZLVKfGGRqvOrPiI/TBO69xhTdkEYXXSob
tbKzJzFCfTv8qn+EVXOzeAzXrk2VMnMUpJ5uNv4aBoVfMPTJ7SgnKf2x1CGYYhNA
WFsvczG6mPQ1Q5Z3L+Lt+VIxgcC3u+Bf/WDZ1GxntyOOqvUjaebpv5YyeMlkLqju
alZDmoTqjHy8w7WNqhE=
=dxhm
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close