Re: [Security-news] SA-CONTRIB-2012-126 - Hotblocks - Cross Site Scripting (XSS) and Denial of Service (DoS)

["Justin C. Klein Keane" <justin () madirish net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For the curious:

XSS Exploit:
- ---------------
1.  Install and enable the HotBlocks module
2.  Navigate the Hotblocks setting page at ?q=admin/settings/hotblocks
3.  Change Block #1 Name to "<script>alert('xss');</script>"
4.  View the rendered Javascript at ?q=admin/content/hotblocks

Denial of Service Exploit:
- --------------------------------
1.  Install and enable the HotBlocks module
2.  Navigate the Hotblocks setting page at ?q=admin/settings/hotblocks
3.  Change Block #1 Name to "<script>alert('xss');</script>"
4.  Change "Term for hotblocks item:" to "hotblock item
<script>alert('hotblock term');</script>"
5.  Change "Term for hotblocks items:" to "hotblock item
<script>alert('hotblock terms');</script>"
6.  Save configuration
7.  Go to Block admin at ?q=admin/build/block
8.  Drag the Block #1 to the left sidebar and 'Save'
9.  Return to the home page.
9.  Click the 'Put a hotblock here' icon in the left sidebar and click
the malicious name.  This points to a link such as
hotblocks/assign/11/1?destination=node&path=node&systemtype=block&token=343d600c37a2ed557df7cd22a0010352
10.  Refresh the page - WSOD, error logs indicate something like:
[Mon Aug 06 15:42:37 2012] [notice] child pid 4559 exit signal
Segmentation fault (11)
or
[Mon Aug 06 15:22:29 2012] [error] [client 10.10.0.1] PHP Fatal error:
 Maximum execution time of 30 seconds exceeded in
/var/www/html/drupal-6.26/includes/bootstrap.inc on line 860, referer:
http://10.10.0.101/drupal/


Justin C. Klein Keane
http://www.MadIrish.net

The PGP signature on this email can be verified using the public key at
http://www.madirish.net/gpgkey

On 08/15/2012 02:19 PM, security-news () drupal org wrote:
> View online: http://drupal.org/node/1732946
>
> * Advisory ID: DRUPAL-SA-CONTRIB-2012-126 * Project: HotBlocks [1]
> (third-party module) * Version: 6.x * Date: 2012-August-15 *
> Security risk: Moderately critical [2] * Exploitable from: Remote *
> Vulnerability: Cross Site Scripting, Multiple vulnerabilities
>
> -------- DESCRIPTION 
> ---------------------------------------------------------
>
> The Hotblocks module provides an enhanced GUI for administering
> blocks and block content that is intended to be simpler and more
> controllable for less privileged users than the default block
> administration tools.
>
> .... Cross Site Scripting (XSS)
>
> The module doesn't sufficiently sanitize the user input for "block
> names" on the module's settings page. A user could inject arbitrary
> scripts into pages affecting site users.
>
> This XSS vulnerability is mitigated by the fact that an attacker
> must have a role with the permission "administer hotblocks".
>
> .... Denial of Service (DoS)
>
> The hotblocks user interface also allows a user to configure one
> hotblock to reference itself as content, thereby creating an
> infinite loop and potentially rendering a site unusable.
>
> The DoS vulnerability is mitigated by the fact that a user must
> have a role with the permission "administer hotblocks" or a user
> with said permission must have configured the site such that it
> allows hotblocks to be embedded in other hotblocks.
>
> CVE: Requested
>
> -------- VERSIONS AFFECTED 
> ---------------------------------------------------
>
> * Hotblocks 6.x-1.x versions prior to 6.x-1.8.
>
> Drupal core is not affected. If you do not use the contributed
> HotBlocks [3] module, there is nothing you need to do.
>
> -------- SOLUTION 
> ------------------------------------------------------------
>
> Install the latest version:
>
> * If you use the Hotblocks module for Drupal 6.x, upgrade to
> Hotblocks 6.x-1.8 [4]
>
> Also see the HotBlocks [5] project page.
>
> -------- REPORTED BY 
> ---------------------------------------------------------
>
> * Justin C. Klein Keane [6]
>
> -------- FIXED BY 
> ------------------------------------------------------------
>
> * Justin Dodge [7] the module maintainer
>
> -------- COORDINATED BY 
> ------------------------------------------------------
>
> * Greg Knaddison [8] of the Drupal Security Team
>
> -------- CONTACT AND MORE INFORMATION 
> ----------------------------------------
>
> The Drupal security team can be reached at security at drupal.org
> or via the contact form at http://drupal.org/contact [9].
>
> Learn more about the Drupal Security team and their policies [10],
> writing secure code for Drupal [11], and securing your site [12].
>
>
> [1] http://drupal.org/project/hotblocks [2]
> http://drupal.org/security-team/risk-levels [3]
> http://drupal.org/project/hotblocks [4]
> http://drupal.org/node/1732828 [5]
> http://drupal.org/project/hotblocks [6]
> http://drupal.org/user/302225 [7] http://drupal.org/user/238638 [8]
> http://drupal.org/user/36762 [9] http://drupal.org/contact [10]
> http://drupal.org/security-team [11]
> http://drupal.org/writing-secure-code [12]
> http://drupal.org/security/secure-configuration
>
> _______________________________________________ Security-news
> mailing list Security-news () drupal org Unsubscribe at
> http://lists.drupal.org/mailman/listinfo/security-news
>
> _______________________________________________ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iPwEAQECAAYFAlAr708ACgkQkSlsbLsN1gCDJQb/XAYzsmAgbD/Sd6yAIuNXRTbJ
F6CW8laAHOKuZjUQdhBUJuOaXSMIqXEut9xerPzlEfXX0WWo5nyMIdsjezP+CUck
l+IzYVuRiLHDR2Ra5GSzHuOB+h7VjSJkynEThZBDFRyLBYtSvNDZ/QATn5Orhp/2
oCcx5443PECvkdzUsGTzCPBQiucIPFuzQTYggsd23Zf70Nqkq/VMW4xA+rVHOFLS
f61DH1feqhYNUW3GG7lhuqUX9vAHLjFQlgGWt8gD2o7tZ6wMFrtKsSouYsDavwAm
KamG8mEM+2+IdhDacqE=
=ubeS
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/