-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Description of Vulnerability:
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL. The Drupal Panels module
(http://drupal.org/project/panels) "allows a site administrator to
create customized layouts for multiple uses. At its core it is a drag
and drop content manager that lets you visually design a layout and
place content within that layout." Unfortunately the Panels module
contains an arbitrary HTML injection vulnerability (also known as cross
site scripting, or XSS) due to the fact that it fails to sanitize div
classes and id specifications for panels before display.
Systems affected:
Drupal 5.21 with Panels 5.x-1.2 was tested and shown to be vulnerable
Impact
User could inject arbitrary scripts into pages affecting site users.
This could result in administrative account compromise leading to web
server process compromise. A more likely scenario would be for an
attacker to inject hidden content (such as iframes, applets, or embedded
objects) that would attack client browsers in an attempt to compromise
site users' machines. This vulnerability could also be used to launch
cross site request forgery (XSRF) attacks against the site that could
have other unexpected consequences.
Mitigating factors:
In order to exploit this vulnerability the attacker must have
credentials to an authorized account that has been assigned the 'use
page manager' and 'administer advanced pane settings' permissions. This
could be accomplished via social engineering, brute force password
guessing, or abuse or legitimate credentials.
Proof of concept:
Patch:
Applying the following patch mitigates this issue in version 5.x-1.2
Vendor Response:
Drupal security team no longer supports resolution of vulnerabilities in
Drupal 5. Module maintainer notified in public forums.
Details of this vulnerability are also posted at
http://www.madirish.net/?article=478
Justin Klein Keane
http://www.MadIrish.net
The digital signature on this e-mail may be confirmed using the
PGP key located at: http://www.madirish.net/gpgkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iPwEAQECAAYFAk1HLrEACgkQkSlsbLsN1gA8dAb+KWZ4opsQLGLe8lseM0JNxigK
2GUACkPq6kuAIarYcpogWLE8AbQEpNTtLTOgSnHtYMV69FBaDibgwY/ZLBP9JsNC
5iKopCmvEAp8CB9LC/jSFffoiIBNUFJmmFl8Zk+elMbN4uDgApLpUA67iIxrGH1e
8K8iC8a7j13WTdh6a13x3+GVO7ezfVrlxoRKLJWX/S+LmWfFAwO0oPSom7aH0Kpl
CewLQgi/p13kTNmyeMmjLdzUaboQpRetzv3PWuZR/+m9FC9CP1I9hwhQCaE4R1WK
NMJ0Aj9V/k1eY5Giezg=
=uoO2
-----END PGP SIGNATURE-----