Drupal Finder Module Multiple Cross-Site Scripting And Arbitrary Code Execution Vulnerabilities
BID:51921
Info
Drupal Finder Module Multiple Cross-Site Scripting And Arbitrary Code Execution Vulnerabilities
| Bugtraq ID: | 51921 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 08 2012 12:00AM |
| Updated: | Feb 08 2012 12:00AM |
| Credit: | Justin C. Klein-Keane |
| Vulnerable: |
Drupal Finder 7.x-2.0-alpha6 Drupal Finder 7.x-1.6 Drupal Finder 6.x-1.24 |
| Not Vulnerable: |
Drupal Finder 7.x-2.0-alpha8 Drupal Finder 6.x-1.26 |
Discussion
Drupal Finder Module Multiple Cross-Site Scripting And Arbitrary Code Execution Vulnerabilities
The Finder module for Drupal is prone to multiple cross-site-scripting vulnerabilities and an arbitrary-code-execution vulnerability because the application fails to sufficiently sanitize user-supplied data.
Attackers can exploit these issues to execute arbitrary code in the context of the webserver and steal cookie-based authentication credentials from legitimate users of the site. Other attacks are also possible.
These vulnerabilities affect the following:
Drupal Finder 6.x-1.x versions prior to 6.x-1.26
Drupal Finder 7.x-1.x versions
Drupal Finder 7.x-2.x versions prior to 7.x-2.0-alpha8
The Finder module for Drupal is prone to multiple cross-site-scripting vulnerabilities and an arbitrary-code-execution vulnerability because the application fails to sufficiently sanitize user-supplied data.
Attackers can exploit these issues to execute arbitrary code in the context of the webserver and steal cookie-based authentication credentials from legitimate users of the site. Other attacks are also possible.
These vulnerabilities affect the following:
Drupal Finder 6.x-1.x versions prior to 6.x-1.26
Drupal Finder 7.x-1.x versions
Drupal Finder 7.x-2.x versions prior to 7.x-2.0-alpha8
Exploit / POC
Drupal Finder Module Multiple Cross-Site Scripting And Arbitrary Code Execution Vulnerabilities
Attackers can exploit these issues with a browser. To exploit a cross-site scripting issue, an attacker must entice an unsuspecting user to follow a malicious URI.
Attackers can exploit these issues with a browser. To exploit a cross-site scripting issue, an attacker must entice an unsuspecting user to follow a malicious URI.
Solution / Fix
Drupal Finder Module Multiple Cross-Site Scripting And Arbitrary Code Execution Vulnerabilities
Solution:
Updates are available. Please see the references for more information.
Solution:
Updates are available. Please see the references for more information.
References
Drupal Finder Module Multiple Cross-Site Scripting And Arbitrary Code Execution Vulnerabilities
References:
References:
- Drupal Homepage (Drupal)
- Finder Homepage (Drupal)
- SA-CONTRIB-2012-017 - Finder - Multiple vulnerabilities (Drupal)