Ik heb een tijd geleden een cross-site scripting (XSS) probleem in een Drupal community theme opgelost en aangemeld. Ik was benieuwd hoe makkelijk het zou zijn om nieuwe security bugs te vinden.
Ik heb een aantal van de meest gebruiker themes en modules bekeken en daarin diverse security problemen gevonden. Ik heb deze aangemeld bij het Drupal security team. Dit heeft uiteindelijk geresulteerd in security updates van deze projecten waarbij de gevonden problemen zijn opgelost.
- Touch theme
Touch Theme is a light weight theme with modern look and feel. The theme does not sufficiently sanitize theme settings input for Twitter and Facebook username.
11 juni 2014
- Zen theme
The theme does not properly sanitize theme settings before they are used in the output of a page. Themes that have copied code from Zen's template.php may suffer from this same issue.
30 april 2014
- Professional theme
The theme does not sufficiently sanitize twi theme settings for custom copyright information leading to a persistent cross site scripting (XSS) vulnerability.
23 april 2014
- Custom seach module
The module doesn't sanitize taxonomy vocabulary labels before display leading to a persistent cross site scripting (XSS) vulnerability.
23 april 2014
- Skeleton theme
The Skeleton theme does not properly sanitize two theme settings before they are used in the output of a page.
9 april 2014
- Simplecorp theme
The SimpleCorp theme does not properly sanitize three theme settings before they are used in the output of a page.
9 april 2014
- Bluemasters theme
The Bluemasters theme does not properly sanitize two theme settings before they are used in the output of a page.
9 april 2014
- NewsFlash theme
The theme does not sanitize the user provided theme setting for the font family CSS property, thereby exposing a cross-site scripting (XSS) vulnerability.
6 maart 2014
- Mayo theme
The theme settings allow you to link to a header background file. A URL could be entered that was not properly sanitized leading to XSS vulnerability.
12 februari 2014