Cracking Drupal - Cross Site Scripting http://crackingdrupal.com/taxonomy/term/5/0 en When a Security Vulnerability is Just a Bug - Drupal Content Access XSS http://crackingdrupal.com/blog/greggles/when-security-vulnerability-just-bug-drupal-content-access-xss <p>If you pay close attention you may have noticed a recent <a href="http://seclists.org/fulldisclosure/2009/May/0232.html">disclosure</a> of an XSS vulnerability in the <a href="http://drupal.org/project/content_access">Content Access</a> module.</p> <p>This report comes from a system administrator and security researcher at a <a href="http://www.upenn.edu/">fine university</a> and contains a section titled Vendor Response:</p> <blockquote><p> Drupal security [team] was notified of this vulnerability on 5/19/2009. Vendor<br /> has declined to issue an official security announcement due to the<br /> restricted access rights required to carry out the proof of concept<br /> exploit. Vendor has filed a bug with the module maintainer at<br /> <a href="http://drupal.org/node/472494" title="http://drupal.org/node/472494">http://drupal.org/node/472494</a>. </p></blockquote> <p><!--break--><!--break--></p><p>XSS is a big deal! With XSS you can run any activity like <a href="http://crackingdrupal.com/blog/greggles/update-uid1-password-javascript-ported-drupal-6x">change a user's password</a>. A similar issue <a href="http://drupal.org/node/316136">exists in Drupal core</a>.</p> <p>However, the only way to exploit this vulnerability is to edit a role or create a new role, which is only possible for people with the permission to do a lot of other really bad things on the site much more directly than XSS.</p> <p>The Drupal Security team has to balance the desire to have vulnerability-free code with the desire to get every end-user updated to the most recent code. If there are dozens of new vulnerability reports and releases of core/modules all the time end users will start to ignore them - particularly when they are for things like this which aren't the most important concern within this scenario.</p> <p>Is that logic sound? Do we really have a noise/upgrade/"useless release" problem? Let's look at the numbers.</p> <h3>How quickly do Drupal site maintainers upgrade?</h3> <p>So, are we doing a good job of supporting people and getting them to upgrade their site and modules?</p> <p><img src="http://farm3.static.flickr.com/2451/3570392970_46f66a8354.jpg?v=0" /></p> <p>Sadly people are still very slow to upgrade. Screaming louder about security holes isn't going to help.</p> <p>There are lots of things we can do here. I've heard complaints that upgrading is too hard - it's too easy to break your site in the process. I've also heard complaints that "Well, I upgraded and then 2 weeks later a new release came out. So now I wait 2 weeks after every release to make sure I only have to do it once." I've also heard "there are so many releases and I don't understand them, so I just upgrade my sites periodically."</p> <p>Dang.</p> <p>So, as bullet points of what we can do</p> <ul> <li>Make upgrading as easy as possible (without sacrificing security...)</li> <li>Reduce unnecessary noise and confusion around SA</li> <li>Only make an SA/Release when it's absolutely necessary</li> </ul> <p>What else? Why don't you upgrade your sites? What could Drupal or the security team do to make you more likely to upgrade?</p> http://crackingdrupal.com/blog/greggles/when-security-vulnerability-just-bug-drupal-content-access-xss#comments Cross Site Scripting Planet Drupal XSS Wed, 27 May 2009 14:43:14 +0000 greggles 21 at http://crackingdrupal.com