-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NB: Before anyone gets their panties in a twist read the whole disclosure, this isn't the end of the world, sky-is-falling vulnerability you might be looking for, but I do believe it is serious. TLDR: check your .info files! Vulnerability Report Author: Justin C. Klein Keane Reported: 7 August, 2013 Description of Vulnerability: - ----------------------------- Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. Drupal core suffers from multiple persistent (stored) cross site scripting (XSS, or arbitrary script injection) vulnerabilities because the core System module, included in all Drupal sites, fails to sanitize module names and descriptions provided in module metadata files (identified by their .info extension) before display in some locations. Systems affected: - ----------------- Drupal 7.22 and 6.28 were tested and shown vulnerable. Other versions are likely affected. Impact - ------ Attackers can inject arbitrary HTML (including JavaScript) in order to attack site administrators. This could lead to account compromise (which could in turn lead to arbitrary PHP code execution privileges), or expose administrative users to client side malware attacks. Mitigating factors: - ------------------- In order to inject arbitrary script malicious attackers must have the ability to manipulate module .info files on a site filesystem, perhaps via permissions misconfiguration, or to manipulate these files in modules before they are deployed to a site, such as with the Features module (https://drupal.org/project/features). It would be quite rare to be able to manipulate a .info file without the ability to manipulate actual PHP code contained in modules. However, malicious script contained in .info files would likely be overlooked in any security audit since these files are assumed to be inert text files, devoid of any scripting, markup, or executable code. It is worth noting that the content of .info files is sanitized for display in some locations, but this treatment is not uniform. Thus the likelihood of an attack via this vector is LOW, but the impact is extremely high, and the attack would likely escape notice by most automated and manual security countermeasures. Proof of Concept Exploits: - ----------------- 1. Install Drupal 7-22 2. Create a new directory in the /sites/all/modules named "evil" 3. Create the file evil.info in the /sites/all/modules/evil directory to include the following content: name = description = core = 7.x package = Other version = 7.x-1.0 project = evil_feature dependencies[] = system 4. Create the file evil.module in the /sites/all/modules/evil directory to include the following contents: $info['name'], + '#markup' => check_plain($info['name']), ); $form['description'] = array( - - '#markup' => t($info['description']), + '#markup' => t("@desc", array('@desc' => $info['description'])), ); $form['version'] = array( '#markup' => $info['version'], Vendor Response: - ---------------- The Drupal Security Team considers this vulnerability worthy of public discussion. The team points out that an attacker able to manipulate a .info file would likely be able to manipulate PHP code found in other files in the same directory. Furthermore, the Drupal Security Team feels this issue is already public (https://drupal.org/node/637538), however the public discussion only concerns the development of the next major release of Drupal - Drupal 8. There is no mention in the public discussion, of the fact that this issue faces both current supported release versions (Drupal 7 and Drupal 6) and likely previous releases. - -- Justin C. Klein Keane http://www.MadIrish.net Any digital signature on this message can be confirmed using the GPG key at http://www.madirish.net/gpgkey -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iPwEAQECAAYFAlILhzQACgkQkSlsbLsN1gDJjgb+MFQ5xee1G5zfZ25T2jpMLztb Y/UFjB068iAytm6ogTg35Iyz9y/aBNapPvVLCMRy8rmYtywJIpORy6Jxnwsyxxq+ Lkf3SeXXGHG1V7gDSVtt+H+SDtpRS3aqYigYVb+Ia6tlkfb2IR7dBdUWCVuT3789 Qf2NPbVqdxvn2xHVGItnto1qKfqd4AqssATtBoe/hdE/ti7QOgQmxg7yA9fi4KBU uhdd6Skq8ZLsbacFSA45jpT9QRJPnQt6tWWiF7ePU/e/xZjrIUZZWHDHTHo8ntpk fQVjZlI7cOwojrP9sd0= =rilD -----END PGP SIGNATURE----- ---------------------------------------------------------------- Date: Wed, 14 Aug 2013 08:00:39 -0600 From: Greg Knaddison To: "Justin C. Klein Keane" Cc: full-disclosure@lists.grok.org.uk Thanks to Justin for identifying and describing this issue. With a little more detail inline. On Wed, Aug 14, 2013 at 7:33 AM, Justin C. Klein Keane wrote: > Mitigating factors: > - ------------------- > In order to inject arbitrary script malicious attackers must have the > ability to manipulate module .info files on a site filesystem, perhaps > via permissions misconfiguration, It feels unclear to me if the permissions mentioned here are Drupal permissions or others. So, to be clear, this would require server file permission misconfiguration. The info files are placed in the same directories as php code. For this vulnerability to be significant it would require permissions like: -rw-rw-rw- 1 deployuser deployuser 243 Jan 7 2013 machine_name.info -rw-rw-r-- 1 deployuser deployuser 434 Jan 7 2013 machine_name.install -rw-rw-r-- 1 deployuser deployuser 3802 Jan 7 2013 machine_name.module Or maybe: -rw-rw-r-- 1 deployuser somegroup 243 Jan 7 2013 machine_name.info -rw-r--r-- 1 deployuser somegroup 434 Jan 7 2013 machine_name.install -rw-r--r-- 1 deployuser somegroup 3802 Jan 7 2013 machine_name.module In the first scenario the attacker would just need a shell on the server. In the second scenario the attacker would need a shell on the server and membership in somegroup. > feels this issue is already public (https://drupal.org/node/637538), > however the public discussion only concerns the development of the > next major release of Drupal - Drupal 8. There is no mention in the > public discussion, of the fact that this issue faces both current > supported release versions (Drupal 7 and Drupal 6) and likely previous > releases. I updated that issue to include Drupal 7 and Drupal 6 mentions. It's true this affects previous releases, but previous releases are explicitly EOL and full of holes that are not documented. * Drupal 5 EOL Announcement: https://drupal.org/node/1027214 * Drupal 4.7 EOL Announcement: https://drupal.org/node/225729 Regards, Greg