Open source software security

Drupal 6/7 Password Policy Module XSS Vulnerability

The Password Policy module suffers from a persistent (stored) cross site scripting (XSS or arbitrary script injection) vulnerability because it fails to sanitize expiration warning messages before display.

Drupal Core XSS Vulnerabilities

Drupal (https://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. Drupal core suffers from multiple persistent (stored) cross site scripting (XSS, or arbitrary script injection) because the core System module fails to sanitize module names and descriptions provided in module metadata files (identified by their .info extension) before display in some locations.

XSS Vulnerability in TinyMCE

A cross site scripting (XSS), or arbitrary script injection, vulnerability exists in TinyMCE due to the fact that the bbcode plugin violates the explicit security policy of TinyMCE. If the bbcode plugin is enabled, but encoding is enabled using the "encoding" directive, or sanitizing is enabled using the "valid_elements" attribute, these mechanisms fail to function as expected.

Drupal OM Maximenu Multiple Vulnerabilities

The Drupal OM Maximenu module, prior to versions 6.x-1.44 and 7.x-1.44, contains suffers from a number of vulnerabilities, including several arbitrary script injection (XSS) flaws. The module also gives users with permission to "Administer OM Maximenu" the ability to execute arbitrary PHP with no indication of the power of this privilege. This could allow attackers who gain access to accounts with this permission to compromise the host web server, attack other users, and more.

Drupal Inf08 Theme XSS Vulnerability

The Drupal Inf08 theme, prior to versions 6.x-1.10, contains a XSS vulnerability due to the fact that it fails to properly sanitize taxonomy terms before display. This could allow attackers who have the ability to create taxonomy terms to perform arbitrary script injection attacks via persistent cross site scripting.

Drupal Hotblocks Module XSS and DoS Vulnerabilities

The Drupal HotBlocks module contains a persistent cross site scripting (XSS), or arbitrary script injection, vulnerability due to the fact that it fails to sanitize user supplied data before display. The HotBlocks module also suffers from a denial of service vulnerability due to a user triggered infinite code loop.

Transmission XSS Vulnerabilities

Transmission (http://www.transmissionbt.com) is a popular, cross platform, open source BitTorrent client. Transmission includes functionality to enable a web based display of the application. Unfortunately this web based client doesn't sanitize text from torrent files that are loaded into the client resulting in an arbitrary script include (or cross site scripting (XSS)) vulnerability.

Drupal Less CSS Module XSS Vulnerability

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal LESS CSS Preprocessor (hereafter Less) module (https://drupal.org/project/less) "will automatically process any LESS files that are added using drupal_add_css or added through your theme's .info file." The Less module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize Less error messages before display.

Drupal FileField Sources XSS Vulnerability

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal FileField Sources module (https://drupal.org/project/filefield_sources) "lets you upload files from your computer through a CCK field. The FileField Sources module expands on this ability by allowing you to select new or existing files through additional means." The FileField Sources module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize user supplied filenames before display.

Drupal Custom Publishing Options XSS Vulnerability

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Custom Publishing Options module (https://drupal.org/project/custom_pub) contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize format names before display.

Drupal Creative Commons 6.x-1.0 XSS Vulnerability

The Drupal Creative Commons module (https://drupal.org/project/creativecommons) "allows users to select and assign a Creative Commons license to a node and any attached content, or to the entire site. It also provides integration between CC and Drupal technology." The Creative Commons module contains multiple persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize user supplied input before display.

Drupal Multiblock 6.x-1.3 XSS Vulnerability

The Drupal Mulitblock module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize block descriptions names before display.

Drupal Wishlist 6.x-2.4 XSS Vulnerability

The Drupal Wish List module (https://drupal.org/project/wishlist) "Allows authorized users to submit wishlist nodes to your web site which describe items they would like for a special occasion." The Wish List module contains a cross site scripting vulnerability due to the fact that unchecked URL variables are used to render JavaScript actions on site pages.

Drupal MultiSite Search Module SQL Injection Vulnerability

The Drupal Multisite Search module (https://drupal.org/project/multisite_search) contains a SQL injection vulnerability due to the fact that it doesn't sanitize the user supplied table_prefix value during query construction in the multisite_search_cron() function called when the Drupal cron is run.

Drupal Mobile Tools 6.x-2.3 XSS

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Mobile Tools module (https://drupal.org/project/mobile_tools) "provides Drupal developers with some tools to assist in making a site mobile." The Mobile Tools module contains several persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize user supplied values before display.

Drupal Data 6.x-1.0 XSS Vulnerability

The Drupal Data module (https://drupal.org/project/data) "helps you model, manage and query related sets of tables. It offers an administration interface and a low level API for manipulating tables and accessing their contents." The Data module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize table names before display.

Drupal Finder 6.x-1.9 XSS and Remote Code Execution Vulnerabilities

Reported: January 6, 2012

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Finder module (https://drupal.org/project/finder) "allows Drupal site administrators to create flexible faceted search forms to find entities such as nodes or users based on the values of fields and database attributes." The Finder module contains multiple vulnerabilities including persistent cross site scripting (XSS) and an arbitrary code execution vulnerability.

Systems affected:

Drupal Revisioning 6.x-3.13 XSS Vulnerability

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Revisioning module (https://drupal.org/project/revisioning) "is a module for the configuration of workflows to create, moderate and publish content revisions." The Revisioning module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize tags before display.

Systems affected:

Drupal 6.22 with Revisioning 6.x-3.13 was tested and shown to be vulnerable

Impact

Drupal ManageSite 6.x-1.0 XSS Vulnerability

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal ManageSite module (https://drupal.org/project/managesite) contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize region names before display.

Systems affected:

Drupal 6.22 with ManageSite 6.x-1.0 was tested and shown to be vulnerable

Impact

Drupal Video Filter 6.x-2.8 XSS Vulnerability

The Video Filter module version 6.x-2.8 contains an arbitrary HTML injection vulnerability (also known as cross site scripting, or XSS) due to the fact that it fails to user supplied third party data before display.

Drupal Vote UP Down 6.x-3.0 XSS Vulnerability

The Drupal Vote Up Down module version 6.x-3.0 contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize taxonomy terms before display.

Drupal Autocomplete Node Finder 6.x-2.9 XSS Vulnerability

The Drupal Autocomplete Node Finder module (https://drupal.org/project/autocomplete_node_finder) contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize node titles before display.

Drupal SuperCron 6.x-1.3 XSS Vulnerability

The Drupal SuperCron module version 6.x-1.3, created by 63 Reasons (http://www.63reasons.com/), contains a persistent arbitrary HTML injection vulnerability (also known as cross site scripting, or XSS) due to the fact that it fails to user supplied data before display.

Drupal Webform Validation Module XSS

Reported: August 31, 2011

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Webform Validation module (http://drupal.org/project/webform_validationt) is designed to provide additional verification for nodes using the Webform module (http://drupal.org/project/webform). The Webform Validation module contains multiple cross site scripting (XSS) vulnerabilities due to the fact that it fails to sanitize rule names or custom error messages before display.

Linksys WRT54G XSS Vulnerability

Linksys WRT54G is a consumer wireless G broadband router and four port switch. The admin interface does not sanitize keywords for safe browsing leading to a stored/persistent cross site scripting (XSS) vulnerability.

Linksys BEFSR41 Admin Interface XSS Vulnerabilities

Linksys BEFSR41 is a consumer grade cable and DSL router and four port switch. Unfortunately the web based management interface does not sanitize certain user supplied data leading to a cross site scripting (XSS) vulnerability.

Drupal Messaging Module XSS Vulnerability

The Messaging framework module contains multiple cross site scripting (XSS) vulnerabilities due to the fact that the user supplied input is not sanitized before display.

Drupal SWFTools Module XSS Vulnerability

The Drupal SWF Tools module contains multiple cross site scripting (XSS) vulnerabilities due to the fact that it fails to sanitize user supplied input before display.

Drupal Custom Pagers XSS Vulnerability

The Custom Pagers module contains an arbitrary HTML injection vulnerability (also known as cross site scripting, or XSS) due to the fact that it fails to sanitize Custom Pagers names before display in the administrative back end interface.

Drupal Panels 5.x-1.2 XSS Vulnerability

The Drupal Panels module contains an arbitrary HTML injection vulnerability (also known as cross site scripting, or XSS) due to the fact that it fails to sanitize div classes and id specifications for panels before display.

Drupal Panels Module XSS Vulnerability

Unfortunately the Drupal Panels module contains an arbitrary HTML injection vulnerability (also known as cross site scripting, or XSS) due to the fact that it fails to sanitize div classes and id specifications for panels before display.

Drupal Image Module XSS Vulnerability

The Drupal Image module contains a cross site scripting (XSS) vulnerability due to the fact that the module fails to sanitize gallery names before display.

Drupal Embedded Media Field Module XSS Vulnerability

Unfortunately the Embedded Media Field module contains an arbitrary HTML injection vulnerability (also known as cross site scripting, or XSS) due to the fact that it fails to sanitize filenames of thumbnail images before display.

e107 XSS and XSRF Vulnerabilities

e107 is a PHP/MySQL based content management system. e107 versions prior to 0.7.23 suffer from cross site scripting and cross site request forgery vulnerabilities.

NuralStorm Webmail Multiple Vulnerabilities

A recent code audit of the NuralStorm Webmail system revealed a number of serious vulnerabilities. If you are using NuralStorm please review the following vulnerability report. It is recommended that you restrict access to any NuralStorm installations immediately and disable NuralStorm if possible. There is currently no patch or work around for the vulnerabilities described herein.

Drupal Context Module XSS

The Context module contains a cross site scripting (XSS) vulnerability because it fails to sanitize block descriptions before display.

TaskFreak 0.6.2 SQL Injection Vulnerability

The Tirzen Framework (http://www.tirzen.net/tzn/) is a supporting API developed by Tirzen (http://www.tirzen.com), an intranet and internet solutions provider. The Tirzen Framework contains a SQL injection vulnerability (http://www.owasp.org/index.php/SQL_Injection). This vulnerability could allow an attacker to arbitrarily manipulate SQL strings constructed using the library. This vulnerability manifests itself most notably in the Task Freak (http://www.taskfreak.com/) open source task management software. The vulnerability can be exploited to bypass authentication and gain administrative access to the Task Freak system.

Drupal Better Formats 6.x-1.2 XSS Vulnerability

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Better Formats module (http://drupal.org/project/better_formats) contains a cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize format names before display.

Drupal Zen Theme 6.x-1.1 XSS Vulnerability

Drupal is a robust content management system (CMS) written in PHP and MySQL that provides custom look and feel functionality with themes. The popular Zen theme contains a cross site scripting vulnerability due to the fact that it fails to properly sanitize breadcrumb separators upon display allowing arbitrary script injection.

Drupal Twitter Module Credential Exposure

The Drupal Twitter module handles credentials in an unsafe manner, allowing anyone with read access to the Drupal database, or with access to network traffic between the Drupal server and the Twitter API, to observe the full Twitter username and password for Twitter user configured through the module.

Magento eCommerce XSS Vulnerabilities

Magento (http://www.magentocommerce.com/) is an eCommerce platform written in MySQL and PHP. Magento contains numerous serious cross site scripting (XSS) vulnerabilities.

dotProject Multiple Vulnerabilities

dotProject (http://www.dotproject.net/) is a robust open source project management tool written in PHP and MySQL. dotProject contains numerous serious cross site scripting (XSS) and SQL injection vulnerabilities.

Drupal 5.20 and 6.14 Filter Module (Core) XSS Vulnerabilities

The Drupal Filter module, part of Drupal core, contains a cross site scripting vulnerability in Drupal version 5.20 and 6.14. This vulnerability could allow attackers that can manipulate the site name variable to inject arbitrary HTML into page display.

Drupal Wikitools 6.x-1.2 and 5.x-1.3 XSS Vulnerability

The Drupal Wikitools module versions 6.x-1.2 and 5.x-1.3 contain cross site scripting vulnerabilities due to the fact that they fail to sanitize the output of content type names before display. This vulnerability could allow attackers who can craft content type names to inject arbitrary HTML into pages.

Drupal 6 Core Cross Site Scripting Vulnerabilities

Drupal 6.12 core contains two oft used functions that fail to properly sanitize output. Drupal utilizes the non-standard method of user supplied input sanitizing by scrubbing data as it is retrieved from the data layer, rather than as it is submitted. This leads to many instances of confusion amongst developers and vulnerabilities in Drupal modules. Even the Drupal core is not immune to these sorts of errors. Cross site scripting vulnerabilities, or the injection of arbitrary HTML into the data layer that is later rendered without being sanitized, can lead to compromise of Drupal user accounts.

Drupal 6 CCK Module Allows Arbitrary PHP Injection

Drupal 6 does a rather good job of preventing unauthorized users from injecting PHP into content in order to take control of the web server. Unlike Drupal 5, Drupal 6 does not have a default PHP input type, which is a huge leap forward in preventing users from crafting PHP. This helps protect the web server from compromise should someone gain Drupal credentials. The Drupal site touts this new feature.

PHP-Calendar SQL Credential Disclosure

This vulnerability centers around the fact that PHP-Calendar comes with update scripts to update previous versions of the software. These scripts will print to the screen the database host, username, password, database name, table prefix, and database type. PHP-Calendar (http://www.php-calendar.com) was "written for a college social group at Northeastern University to keep track of events, etc. We were previously using localendar, which I (Sean Proctor) didn't like and had some problems with. I found CST-Calendar which did most of what I wanted, but was rather ugly and missed some features that we needed. So, I gradually re-wrote CST-Calendar since that project seemed to have stopped work entirely."

Drupal Brilliant Gallery 5.x-4.1 SQL Injection Vulnerability

The Brilliant module (http://drupal.org/project/brilliant_gallery), created by Vacilanda (http://www.vacilando.org/) is designed to allow users to easily create dynamic picture galleries by uploading images directly to a server and including code directly within nodes to display the gallery. Unfortunately the module contains a SQL injection vulnerability.

Drupal 5.20 and 6.14 (Core) XSS Vulnerabilities

Drupal 6.14 and 5.20 suffer from cross site scripting vulnerabilities because they fail to properly sanitize the 'site name' and 'site slogan' values in the HTML headers, allowing attackers with privileges to alter these values to inject arbitrary HTML.

Security Review of NanoCMS

A brief security evaluation of NanoCMS version 0.4 final revealed a number of notable security vulnerabilities.

pPIM 1.01 Multiple Vulnerabilities

pPIM came to my attention recently with the publishing on Milw0rm of exploit code designed to facilitate remote command execution (http://www.milw0rm.com/exploits/8093). As there is a milw0rm exploit already posted it is likely malicious users are already exploiting pPIM. I decided to have a closer look at pPIM and, quite frankly, was horrified by what I found. pPIM contains multiple vulnerabilities, from version information leakage, to system credential disclosure, to remote command execution, authentication bypass and cross site scripting vulnerabilities. Possibly the only class of vulnerability pPIM is not exposed to is SQL injection as it doesn't employ any database back end. That said, there seemed to be nothing in the way of security other than an easily bypassable GET variable check in the header, present in pPIM. The following is a brief synopsis of my findings, although I gave up investigation at after discovering so many flaws in the application's architecture with respect to security.

Drupal 6.22 Core XSS Vulnerability

Drupal 6.22 core contains a cross site scripting vulnerability in the user module.

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various core modules. The user module controls user login and management. The user module's access rules functionality contains a persistent cross site scripting vulnerability because it fails to sanitize mask values before display.

Systems affected:

Drupal 6.22 was tested and shown to be vulnerable.

AeroMail 2 Multiple Vulnerabilities

AeroMail 2 is a lightweight PHP based e-mail client. AeroMail 2 suffers from a number of cross site scripting (XSS) as well as cross site request forgery (CSRF or XSRF) vulnerabilities. These vulnerabilities could allow remote attackers to send e-mail (possibly spam) as a user, delete e-mail, or create persistent arbitrary code that could be used to attack client side vulnerabilities.

AeroMail 2.80 Multiple Vulnerabilities

AeroMail 2 suffers from a number of cross site scripting (XSS) and cross site request forgery (CSRF) vulnerabilities.Vulnerability Report

Description of Vulnerability:

AeroMail 2 is a lightweight e-mail client written in PHP.

Drupal Download Count Module XSS Vulnerability

The Drupal Download Count module (http://drupal.org/project/download_count) is designed to keep track of file downloads on Drupal sites. This module contains multiple cross site scripting (XSS) vulnerabilities due to the fact that it fails to sanitize user supplied input before display.

Drupal Core Color XSS Vulnerabilities

Recently the Drupal team released a security upgrade to the Drupal core to versions 6.21, 6.22, 7.1 and 7.2. These updates fixed several security flaws, the most commonly exploitable of which is a flaw in the core color module that allowed an attacker who could gain access to the color picker widget (for instance through the theme administration) to perform cross site scripting (XSS) attacks. This flaw resulted in a persistent XSS vulnerability in the Drupal core.

Drupal Flag Module 6.x-1.1 XSS Vulnerability

The Flag module version 6.x-1.1 contains a cross site scripting vulnerability because it does not properly sanitize output of role names before display during flag creation.

Drupal NodeQueue 6.x-2.1 XSS Vulnerability

The NodeQueue module version 6.x-2.1 suffers from a cross site scripting (XSS) vulnerability due to the fact that it does not properly sanitize taxonomy names during display.

Drupal Views 6.x-2.5 XSS Vulnerability

The Drupal Views module 6.x-2.5 contains a cross site scripting (XSS) vulnerability. XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise.

Drupal Taxonomy Manager 6.x-1.0 XSS Vulnerability

The Drupal Taxonomy Manager version 6.x-1.0 suffers from a cross site scripting vulnerability because it fails to properly sanitize the "Vocabulary name" during output, allowing for the injection of arbitrary HTML.

Drupal Email Field 6.x-1.1 XSS Vulnerability

The Drupal Email Field module version 6.x-1.1 contains a cross site scripting vulnerability due to the fact that it fails to sanitize help text entered by users during content type configuration.

Drupal Flag Module 6.x-1.1 Multiple Vulnerabilities

The Drupal Flag module version 6.x-1.1 contains several cross site scripting vulnerabilities because it does not properly sanitize output of role names before display. The flag module also contains cross site scripting vulnerabilities because it fails to properly sanitize content type names. Additionally the Flag module contains a SQL injection vulnerability because it does not properly sanitize variables before concatenating them into a SQL query.

Drupal Embedded Media 6.x-1.0 Multiple XSS

The Drupal Embedded Media Field module version 6.x-1.0 contains several cross site scripting (xss) vulnerabilities because it does not properly sanitize the output of 'Help text', 'Custom thumbnail label', of 'Custom thumbnail description' specified when creating an Embedded Media Field content type field.

Drupal 6.12 (core) User Module XSS Vulnerability

he user module is provided as part of the Drupal 6 core modules and contains a cross site scripting (XSS) vulnerability that can allow users with the 'administer permissions' permission to inject arbitrary HTML into role names. Users with 'administer permissions' permission could create new roles containing malicious JavaScript and silently attack site administrators. While users with this permission could elevate the permissions of their own role using permissions they have been granted, this flaw could allow for a "stealth" attack vector.

Drupal CCK 6.x-2.2 XSS Vulnerability

The Drupal CCK module version 6.x-2.2 contains a vulnerability that could allow an authenticated attacker to inject arbitrary script into administration screens for content types.

Drupal 5.17 Taxonomy (Core) Module Contains XSS Vulnerability

Drupal 5.17 Taxonomy module, which is part of the Drupal core and is enabled by default upon installation, contains a cross site scripting vulnerability that allows users with the 'administer taxonomy' permission to inject arbitrary HTML in the help text of any Category vocabulary.

Drupal CCK 5.x-1.10 XSS Vulnerability

The CCK module version 5.x-1.10 contains a cross site scripting vulnerability because it does not properly sanitize output of group labels before display.

Pixie CMS Multiple Vulnerabilities

Pixie is a dynamic, PHP based content management system (CMS). Pixie version 1.01 contains several vulnerabilities (including SQL injection and cross site scripting).

Drupal Password Reset via XSS

There have been quite a few Cross Site Scripting (XSS) vulnerabilities discovered in Drupal modules recently. Many people scoff at XSS and even argue that it's a low threat vulnerability. In many cases this is certainly true, however XSS can be used as an element in an attack that leverages other security weaknesses to devastating consequence. A case in point is the password changing option in Drupal. Drupal does a wonderful job in preventing against Cross Site Request Forgery (XSRF or CSRF) by placing tokens in forms to validate posts. Drupal provides a token in the id "edit-user-edit-form-token" in the edit user form (found at ?a=user/X/edit where X is the user id number). A sample value contained in this hidden form field is "5545a410de3662f1844af7ee6f1ee770" - a value sufficiently long and random that an attacker would have great difficulty in guessing the value. However, the Drupal account page doesn't require users to enter the current account password in order to change the password to a new value. This flaw, combined with a well crafted XSS attack, could be used to change a user's password to an arbitrary value. What's worse, Drupal uses session cookies by default that can keep users logged into the site for days. This means that a user could be the victim of a password changing attack and not even realize their password had been changed for some time (until their session cookie timed out or they logged out of the site) when they were forced to log back in to the site. The user would still be able to request a password reset via e-mail, so they would not be locked out of the site, but they might have their account hijacked for some time in the interim.

Security Evaluation of Frog CMS

Frog CMS (http://www.madebyfrog.com/) is a lightweight content management system written in PHP that supports several back-end databases (including MySQL). "Frog CMS simplifies content management by offering an elegant user interface, flexible templating per page, simple user management and permissions, as well as the tools necessary for file management."

Frog CMS uses a robust, object oriented PHP codebase that eliminates many of the most common web application vulnerabilities found in PHP. Frog CMS does, however, have some deficiencies that should be cause for concern. The following are issues identified during a short code audit of the application...

Drupal Leaking Version Information

The Drupal content management system (CMS) is powered by many modules that extend the capabilities of the base system. Vulnerabilities in contributed modules are the source of many of Drupal's security woes. Determining module version information allows attackers to target sites with vulnerable modules. There are many means for attackers to profile Drupal sites to determine which modules are installed and the version installation.