Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:23728
HistoryApr 30, 2010 - 12:00 a.m.

XSS in Drupal Better Formats Module

2010-04-3000:00:00
vulners.com
20
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL. The Drupal Better Formats module
(http://drupal.org/project/better_formats) contains a cross site
scripting (XSS) vulnerability due to the fact that it fails to sanitize
format names before display.

Systems affected:

Drupal 6.16 with Better Formats 6.x-1.2 was tested and shown to be
vulnerable

Impact

User could inject arbitrary scripts into pages affecting site users.
This could result in administrative account compromise leading to web
server process compromise.

Mitigating factors:

In order to execute arbitrary script injection malicious users must have
'Administer filters' permission. The Drupal security team has
classified vulnerabilities that require this permission
(http://drupal.org/node/475848) as "display bugs" because access to this
permission allows for alteration of input specifications that could
allow users with permissions to create content to craft arbitrary PHP.
However, in a situation where a user had "administer filters" permission
but could not create content this vulnerability could be used to attack
other Drupal users.

Patch:

Applying the following patch mitigates this issue in version 6.x-1.2.

  • — better_formats/better_formats.module 2010-02-05 08:59:18.000000000
    -0500
    +++ better_formats/better_formats.module 2010-04-27 11:35:53.444189426 -0400
    @@ -537,7 +537,7 @@ function better_formats_filter_form($val

    $form = array(
    '#type' => 'fieldset',

    •  '#title' => $fieldset_title,

  •  '#title' => check_plain($fieldset_title),
 '#collapsible' => $collapsible,
 '#collapsed' => $collapsed,
 '#weight' => $weight,

@@ -551,7 +551,7 @@ function better_formats_filter_form($val
$parents_for_id = array_merge($parents, array($format->format));
$form[$format->format] = array(
'#type' => 'radio',

    •    '#title' => $format->name,

  •    '#title' => check_plain($format->name),
   '#default_value' => $default,
   '#return_value' => $format->format,
   '#parents' => $parents,

Justin C. Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPsEAQECAAYFAkvXC7UACgkQkSlsbLsN1gAYFQb4mjTDJY/6KP2JQIv0pK9H/20s
g/+dwvKFc78AQMMKqDzi3rfqF4L+RzE6bHPsKHmN7yWIxIGMccbL13rOAvarEzgZ
jYyfC24Lbhla38p4JkwWltxPNgsH10wXLGdv+BsiFp8oZUpuAQez0N0SNxhr1mX5
rzZ0fgBEQm7WMmgH9qyLdso1erEQ5sLgPmED5dsaYK2Z2QHBgN19Ed0P1iEZpTdy
anFseTfo00Uts6zOd3loQ/ZeaAOAnYFZwunOtHVurFPyWpAaM1DGVAOHHWtR265d
jQMygOdRmQ5qtV/HpA==
=z0IC
-----END PGP SIGNATURE-----

JSON