Drupal Cross-site scripting in community projects

21 maart 2014

Ik heb een tijd geleden een cross-site scripting (XSS) probleem in een Drupal community theme opgelost en aangemeld. Ik was benieuwd hoe makkelijk het zou zijn om nieuwe security bugs te vinden.

Ik heb een aantal van de meest gebruiker themes en modules bekeken en daarin diverse security problemen gevonden. Ik heb deze aangemeld bij het Drupal security team. Dit heeft uiteindelijk geresulteerd in security updates van deze projecten waarbij de gevonden problemen zijn opgelost.

  • Touch theme
    Touch Theme is a light weight theme with modern look and feel. The theme does not sufficiently sanitize theme settings input for Twitter and Facebook username.
    11 juni 2014

  • Zen theme
    The theme does not properly sanitize theme settings before they are used in the output of a page. Themes that have copied code from Zen's template.php may suffer from this same issue.
    30 april 2014

  • Professional theme
    The theme does not sufficiently sanitize twi theme settings for custom copyright information leading to a persistent cross site scripting (XSS) vulnerability.
    23 april 2014

  • Custom seach module
    The module doesn't sanitize taxonomy vocabulary labels before display leading to a persistent cross site scripting (XSS) vulnerability.
    23 april 2014

  • Skeleton theme
    The Skeleton theme does not properly sanitize two theme settings before they are used in the output of a page.
    9 april 2014

  • Simplecorp theme
    The SimpleCorp theme does not properly sanitize three theme settings before they are used in the output of a page.
    9 april 2014

  • Bluemasters theme
    The Bluemasters theme does not properly sanitize two theme settings before they are used in the output of a page.
    9 april 2014

  • NewsFlash theme
    The theme does not sanitize the user provided theme setting for the font family CSS property, thereby exposing a cross-site scripting (XSS) vulnerability.
    6 maart 2014

  • Mayo theme 
    The theme settings allow you to link to a header background file. A URL could be entered that was not properly sanitized leading to XSS vulnerability.
    12 februari 2014