https://github.com/trinitronx/drupal-xss

Some sample code to mess with potential drupal XSS flaw
https://github.com/trinitronx/drupal-xss

Last synced: over 1 year ago
JSON representation

Some sample code to mess with potential drupal XSS flaw

• Host: GitHub
• URL: https://github.com/trinitronx/drupal-xss
• Owner: trinitronx
• Created: 2011-12-06T21:20:39.000Z (over 14 years ago)
• Default Branch: master
• Last Pushed: 2011-12-12T20:11:56.000Z (over 14 years ago)
• Last Synced: 2025-01-10T07:47:21.934Z (over 1 year ago)
• Language: C
• Homepage: http://lyraphase.com/wp/projects/potential-drupal-xss-flaw-found
• Size: 97.7 KB
• Stars: 2
• Watchers: 3
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.markdown

Awesome Lists containing this project

README

          
Drupal 7.x XSS Proof-of-Concept

-------------------------------

A simple demo of the potential drupal XSS hole.

There are 2 variants:

 - Remote proxy-scan-like requests (generate Admin email & log entries with attacker's domain)

 - MITM XSS attacks possible (Host header rewriting required)

Risk for direct XSS abuse is probably somewhat low, and limited to an attacker who already has MITM.  The potential for harm is HIGH in this case!

Risk for phishing is HIGH, emails are auto-generated with links to the update page on an attacker's site.

Insertion of links to attacker's website is possible in these places:

 - "Recent log messages" page in Drupal's administration console

 - Many script tag 'src' attributes in pages returned to the user in the case of a MITM attacker

   - For this case, the attacker must have MITM and re-write the Host: header to point to their own domain.

   - No proxy-like requests necessary!

   - Presumably they would host a drupal site with some payload scripts installed in the place of some of the normal drupal scripts.

 - Automatic site update emails sent to admin user (Value of Host: header is used)

For sample output of the MITM type attack, see comments in drupal-xss.c

Following is a sample email generated by this bug (Remote proxy request variant)

Sample Email

------------

    Subject: New release(s) available for Drupal Test Site

    

    There are updates available for your version of Drupal. To ensure the proper

    functioning of your site, you should update as soon as possible.

    

    See the available updates page for more information:

    http://attackersite.scripts.example.com/?q=admin/reports/updates

    

    Your site is currently configured to send these emails when any updates are

    available. To get notified only for security updates,

    http://attackersite.scripts.example.com/?q=admin/reports/updates/settings.