-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Details of this disclosure have been posted at
http://lampsecurity.org/drupal-role-xss-vulnerability

Vendor Notified: 05/19/09
Vendor Response: Drupal security team responds that this vulnerability
has been publicly disclosed since October 2, 2008 and it is not
considered a "security risk." Ref: http://drupal.org/node/316136.

Description of Vulnerability
- ----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through hundreds of
third party modules. The user module is provided as part of the Drupal 6
core modules and contains a cross site scripting (XSS) vulnerability
that can allow users with the 'administer permissions' permission to
inject arbitrary HTML into role names. Users with 'administer
permissions' permission could create new roles containing malicious
JavaScript and silently attack site administrators. While users with
this permission could elevate the permissions of their own role using
permissions they have been granted, this flaw could allow for a
"stealth" attack vector.

Systems Affected
- ----------------
Drupal 6.12 was tested and shown to be vulnerable

Impact
- ------
Authenticated users with 'administer permissions' can exploit this
vulnerability to attack other users with privileges to view roles.

Mitigating factors:
- -------------------
Attacker must have 'administer permissions' permissions in order to
exploit this vulnerability. Having this permission would allow a user to
elevate permissions of their own role so this vulnerability would
represent a more subtle attack vector.

Proof of concept:
- -----------------
1. Install Drupal 6.12.
2. Click Administer -> User management -> Roles
3. Enter "<script>alert('xss');</script>" in the "Name" textarea
4. Click the "Add Role" button
5. Observe JavaScript alert

NB
- ----
Note that this XSS affects several other functions in the Drupal 6
administrative back end.

- --

Justin C. Klein Keane
http://www.MadIrish.net
http://LAMPSecurity.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org

iPwEAQECAAYFAkoTMxUACgkQkSlsbLsN1gCj7gb+J8Dtp8UkC/JvWlqjNvq0Geoy
2iBxGZc98m4DLGf6wqeQ5aeEMUMvITEB6MA3AKfha6p55fnL3Y3eQoydCM8CeKkB
Zianya35NiJfZnAvesAYJuvYCGZHs7prSg3FhFHsLCEAXv1oWb6yAbGXK6dxGd+7
ljeMOjfKCvRbcFq+Pf9WsCBSXp++5MrVU1Tfz8MH4Q62Ku6ln42ZqC5v4exrG4vR
THmPaIL74M0vxJbv/gvvXkEOplEvGyWUn20GDiMjk+tzJLQw76JvUt+VlBXdI0mB
Wb1QZJnu1lAqK1SDYOU=
=J8AK
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/