-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The full text of this advisory can also be found at
http://www.madirish.net/?article=448

Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through hundreds of
third party modules.  The Advanced Help Injection and Export Module
(http://drupal.org/project/helpinject) "assists you in writing help
texts suitable for use with the Advanced Help module by allowing you to
write your help texts in Drupal books."  The module suffers from an
arbitrary HTML injection vulnerability.

Systems affected:
- -----------------
Drupal 6.15 using Advanced Help 6.x-1.2 and Help Inject 6.x-1.0-alpha6
was tested and shown to be vulnerable.  The Advanced Help module is a
dependency, but was not tested for vulnerability.

Impact
- ------
Attackers can exploit this vulnerability to escalate privilege and take
control of the web server process.

Mitigating factors:
- -------------------
The Advanced Help and Help Inject modules must be installed and enabled.
 Attacker must have 'create book content' permissions in order to
exploit this vulnerability.  Only those with the 'inject help'
permission are vulnerable, although this includes the site administrator.

Proof of concept:
- -----------------
1.  Install Drupal 6.15.
2.  Install Book, Advanced Help and Help Inject and enable all
functionality through Administer -> Modules
3.  Log in as uid 0 - the admin account
4.  Create a book using 'Create content' -> 'Book page'
5.  Fill in arbitrary values for the book title
6.  Expand the 'Book outline' form and select '<create a new book>' from
the 'Book:' select
7.  Save the book using the 'Save' button
8.  Log out and log in as a user with 'create book content' privilege
9.  Click 'Create content' -> 'Book page'
10.  Enter "<script>alert('xss');</script>" for the 'Title:' area
11.  Expand the 'Book outline' fieldset
12.  Select the book created in step 5 from the 'Book:' select item
13.  Click the 'Save' button
14.  Log out and log in as a user with privileges to 'inject help'
15.  Click on any of the Help Inject icons (the little plus in a gray
circle)
16.  Click the 'Next' button on the 'path granularity' screen
17.  Observe the JavaScript alert.

- -- 
Justin C. Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAkt8GVIACgkQkSlsbLsN1gB4LwcAgLuh8XhMyVGSgfXANzAcb3ph
D6vjVIIROA1cwWAVduAMDjVS7YyEcY38q6GEO+FBFOlPASuOpshKYJhbidz1r6Af
XnUsWcvI87xZOSJ4vQ73U8FZaJ3dsqNSRavi9KWS09fE1FYHt9cx2QMjOLqbgr/3
EUoFkn2femqq9YD3aU9m1lBxZVv1Q9CLKx0rxyL/RYRwUktchk6gCXH+zN3NiLmU
muz64JYCQJIi8mXhLccvOQOZOp7fYR3RrFJIb7/pev0Cg6XT2vF0UuQ55QoOLkU7
yDA27xfyyhI7+8iyjNY=
=jM4d
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Reply via email to