-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vendor Notified: 05/18/09 Vendor Response: Karoly Negyesi of Drupal security denies issue exists. Drupal security has responded to reports of CCK based XSS vulnerabilities in past with http://drupal.org/node/372836, which basically shirks the issue. Although a problem clearly exists, Drupal seems unconcerned with fixing it, instead semantically hiding the vulnerability behind a reclassification of permissions that appears only in SA-CORE-2009-002 rather than in either the Drupal interface or documentation. Details of this report are also published at http://lampsecurity.org/drupal-cck-xss-vulnerability Description of Vulnerability: - ----------------------------- Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through hundreds of third party modules. The Drupal Content Creation Kit (CCK) is a module that allows site maintainers to modify content types by associating custom fields with specific content types. The Drupal CCK module contains a vulnerability that could allow an authenticated attacker to inject arbitrary script into administration screens for content types. This could allow an attacker to issue a cross site scripting (XSS) attack against Drupal users with elevated privilege levels. Systems affected: - ----------------- Drupal 6.12 with CCK 6.x-2.2 was tested and shown to be vulnerable Mitigating factors: - ------------------- CCK must be installed and enabled. Attacker must have 'administer content types' permissions in order to exploit this vulnerability. Proof of concept: - ----------------- 1. Install Drupal 6.12. 2. Install CCK and enable all CCK functionality through dminister -> Modules 3. Click on Administer -> Content management -> Content types 4. Select a type and click the 'manage fields' operation 5. Click 'edit' to edit the node-type 6. Expand the 'Submission form settings' input area 7. Fill in "" for the "Body field label" 9. Click 'Save content type' 10. Click Administer -> Content Management -> Content types 11. Click "manage fields" link for the type selected in #4 above 12. Observe two JavaScript alerts - -- Justin C. Klein Keane http://www.MadIrish.net http://www.LAMPSecurity.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQD1AwUBShHDh5EpbGy7DdYAAQKbfgcAijtPqazvwOhltQmuep/+tP1scvmaifGa keMcKb7pTyP/GVJxrPoUeCif287myaD25jwL4P3SVS4+cUgTbWbwZGRc5QZdk8Kd E6GV05WL7Ufo7bmqPecOj4QuiYD7zl/dFX8o188nViqmvB8xnQqRYywL3wRhPSI7 suDuEAeCNKxr5IGzNs5mS6ZaF/gQRF7KKt2yKwlv/MDhvf0uwRU0hfpJ+MLTbCbf wJNhXoG3aT00prXgmBxsTSzAMBhp4tG2ufBc1aLRYn26lCoBUNO9a3mk+a+xiKQb TtEDePFbRIw= =cfte -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/