Drupal Protected Node Module XSS Vulnerability

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1052152 漏洞类型
发布时间 2009-03-01 更新时间 2009-03-01
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2009030001
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Version Tested:  5.x-1.3 on Drupal 5.15

The Drupal Protected Node module
(http://drupal.org/project/protected_node) is designed to restrict
access to nodes using passwords.  When nodes are created they can be
protected by selecting 'protected node' and specifying a password.
Users attempting to access the node must then enter a password in order
to access the node.  Details of this vulnerability can also be found at
http://lampsecurity.org/node/28.

The Protected Node module fails to properly sanitize user input
specified in the 'Password page info' input specified in Administer ->
Site Configuration -> Protected Node.  Users with the 'administer site
configuration' permission can access this page.

Steps to reproduce the exploit:

1.  Enable the Protected Node module
2.  Set permissions (Administer -> User Management) so anonymous users
can access protected content in the protected_node module section
3.  Click Administer -> Site Configuration -> Protected node
4.  Enter the value <script>alert('xss');</script> into the 'Password
page info' textarea
5.  Create a new piece of content
6.  In the 'Protected node' section on the content creation screen check
the 'Node is protected' checkbox and enter a password.
7.  Save the content.
8.  Log out and view the content to trigger the JavaScript


Technical details:

This vulnerability is introduced by a failure to sanitize user input as
it is being displayed in the protected_node_enterpassword() funciton in
protected_node.module.  Lines 272-274 prints out the user supplied text
using the statement:

$form['protected_node'] = array(
  '#value' => $info
);

The $info variable should be sainitized using check_plain() or similar
function in order to prevent the XSS vulnerability.

Drupal security (http://drupal.org/security) team and module maintainer
have been notified.

- --
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQD1AwUBSagRtJEpbGy7DdYAAQJuYwcAjhDPxL2rYb9epxZ5J55kslSVYC0tMxaR
89AtwVC7NqXZ6fn9XH1vn71jw1qCNp6xnyNUgmlZDFmKs11Q3iTHgS5O2pWOiu8E
SUwPqguqRlx6QgQRtsJaKnS0zAFHWWc2i/jZWeHwkucf3LgJkYcEC4T/p8rRDjp3
wM0KdJnhbqC4/D8jSPAD3Ila8CRci9uoWwyGM6O4YtNQ/sxjtSHVC2ngmG3q2jTc
JRZtMsmiAgyj4CxCY3cbcAEFTDowredqt0283Y8s+qOxKwXlDZMeoKpRfyGK2FO2
IPLhieMuPdc=
=xS7G
-----END PGP SIGNATURE-----