-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Drupal 5.17 Taxonomy (Core) Module Contains XSS Vulnerability May 7, 2009 Version tested: Drupal 5.17 http://lampsecurity.org/drupal-taxonomy-vulnerability Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and supported by a MySQL database. The power of Drupal systems is extended by various modules. Most modules are developed by third parties, but there is a set of "core" modules that are provided as part of a standard Drupal installation. Drupal 5.17 Taxonomy module, which is part of the Drupal core and is enabled by default upon installation, contains a cross site scripting vulnerability that allows users with the 'administer taxonomy' permission to inject arbitrary HTML in the help text of any Category vocabulary. This arbitrary HTML will be displayed when any user attempts to create new content associated with the taxonomy. Proof of concept: 1. Log in to Drupal 5.17 as a user with administer taxonomy permissions 2. Create a new content category using Administer -> Categories -> Add Vocabulary 3. Enter arbitrary in the 'Help text:' field, check the 'Page' and 'Story' checkboxes under 'Types' and fill out arbitrary values for other fields. 4. Click 'Submit' 5. Create new content by clicking the 'Create content' link and then click either 'Page' or 'Story' 6. A JavaScript alert will appear This vulnerability is especially dangerous as it targets content creators, who are likely to have elevated privileges in Drupal. Extreme care should be given to those users granted the 'administer taxonomy' privilege until a fix is available. - -- Justin C. Klein Keane http://www.MadIrish.net http://www.LAMPSecurity.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQD1AwUBSgSXXpEpbGy7DdYAAQIUJQcAl+IR5MY2TPKuYv/nS7N243vh/HXgB7LT joJzUQaCeTTDvwPwYe3WLY3sC7eQF9TtXik2kRN6h+QcdEcNdy0akcYIMOpNOM2y X5lHRuHoVJFzp3nAohKXFrxpeNmE2cuNn/VRtVtFfUB33bEjSDEpSMa4OiO5Wq1O mNY3tWFrEPUDb4b5ouNTyhARcBfmU3c2rqzgdf5rPrioqmlPnA6eXGQ/hr2kKZ7i e7KDrua9EHm4U7ycpK9PAl/JRgh49U1Nl/MzXv5pT/iJ6SbR8tvc9/hOErc5sSur m0qhSFm7mQ4= =AHcD -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/