Superfish 7.x-1.9 Cross Site Scripting Vulnerability
==============================
Author: Ubani A Balogun <ubani@sas.upenn.edu>
Reported: June 25, 2014
Product Description:
- --------------------
Superfish integrates jQuery Superfish plugin with your Drupal menus.
Description of Vulnerability:
- -----------------------------
Superfish suffers from a minor Cross Site Scripting vulnerability due
to its failure to sanitize error messages before displaying them using
the Drupal form_set_error function on the module configuration page.
System impacted:
- ----------------
Superfish 7.x-1.9 was tested on Drupal 7.28 using the Mozilla Firefox
29.0 browser and found to be vulnerable.
Impact:
- -------
Users with the permission to administer the superfish module can
inject arbitrary script via the module configuration form that
executes if form validation fails.
Mitigating Factors:
- -------------------
A malicious user must have permissions to administer the superfish
module in order to inject and execute arbitrary script. The
vulnerability is further mitigated by the fact that the injected
script is not persistent, thus reducing the impact of the vulnerability.
Proof of Concept:
- -----------------
1. Install and enable Superfish 7.x-1.9 on Drupal 7.28
2. Navigate to the superfish administration page at
?q=admin/config/user-
3. Replace the contents of the text area "Path to Superfish library"
with: "<script>alert('XSS')</script>
4. Click save configuration. Form validation fails, but a javascript
alert box with text "XSS" pops up
Patch:
- ------
The following patch mitigates the vulnerability
- --- superfish.admin.inc 2014-06-25 13:23:30.274737050 -0400
+++ superfish.admin_xssfixed.inc 2014-06-25 13:26:59.542740204 -0400
@@ -107,7 +107,7 @@ function superfish_admin_settings_
else {
$error_message = t('File not found') . ': ' . $error[0];
}
- - form_set_error('superfish_slp'
+ form_set_error('superfish_slp'
}
}
}
Vendor Response:
- ----------------
The Drupal security team has acknowledged the existence of the
vulnerability and will be addressing the issue publicly. Due to the
low exploitability of the vulnerability, a patch will be released at
the module maintainer's earliest convenience.
- --
Ubani Anthony Balogun
Information Security and Unix Services
University of Pennsylvania
School of Arts and Sciences
3600 Market St.
Suite 501
Philadelphia, PA 19104
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
==============================
Author: Ubani A Balogun <ubani@sas.upenn.edu>
Reported: June 25, 2014
Product Description:
- --------------------
Superfish integrates jQuery Superfish plugin with your Drupal menus.
Description of Vulnerability:
- -----------------------------
Superfish suffers from a minor Cross Site Scripting vulnerability due
to its failure to sanitize error messages before displaying them using
the Drupal form_set_error function on the module configuration page.
System impacted:
- ----------------
Superfish 7.x-1.9 was tested on Drupal 7.28 using the Mozilla Firefox
29.0 browser and found to be vulnerable.
Impact:
- -------
Users with the permission to administer the superfish module can
inject arbitrary script via the module configuration form that
executes if form validation fails.
Mitigating Factors:
- -------------------
A malicious user must have permissions to administer the superfish
module in order to inject and execute arbitrary script. The
vulnerability is further mitigated by the fact that the injected
script is not persistent, thus reducing the impact of the vulnerability.
Proof of Concept:
- -----------------
1. Install and enable Superfish 7.x-1.9 on Drupal 7.28
2. Navigate to the superfish administration page at
?q=admin/config/user-
3. Replace the contents of the text area "Path to Superfish library"
with: "<script>alert('XSS')</script>
4. Click save configuration. Form validation fails, but a javascript
alert box with text "XSS" pops up
Patch:
- ------
The following patch mitigates the vulnerability
- --- superfish.admin.inc 2014-06-25 13:23:30.274737050 -0400
+++ superfish.admin_xssfixed.inc 2014-06-25 13:26:59.542740204 -0400
@@ -107,7 +107,7 @@ function superfish_admin_settings_
else {
$error_message = t('File not found') . ': ' . $error[0];
}
- - form_set_error('superfish_slp'
+ form_set_error('superfish_slp'
}
}
}
Vendor Response:
- ----------------
The Drupal security team has acknowledged the existence of the
vulnerability and will be addressing the issue publicly. Due to the
low exploitability of the vulnerability, a patch will be released at
the module maintainer's earliest convenience.
- --
Ubani Anthony Balogun
Information Security and Unix Services
University of Pennsylvania
School of Arts and Sciences
3600 Market St.
Suite 501
Philadelphia, PA 19104
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information