Drupal ShareThis Module Cross Site Request Forgery and Cross Site Scripting Vulnerabilities
BID:52778
Info
Drupal ShareThis Module Cross Site Request Forgery and Cross Site Scripting Vulnerabilities
| Bugtraq ID: | 52778 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 28 2012 12:00AM |
| Updated: | Mar 28 2012 12:00AM |
| Credit: | Travis Tomka |
| Vulnerable: |
Drupal ShareThis 7.x-2.1 |
| Not Vulnerable: |
Drupal ShareThis 7.x-2.3 Drupal ShareThis 7.x-2.2 |
Discussion
Drupal ShareThis Module Cross Site Request Forgery and Cross Site Scripting Vulnerabilities
The ShareThis module for Drupal is prone to a cross-site request-forgery vulnerability and a cross-site scripting vulnerability.
An attacker can exploit the cross-site request-forgery issue to perform unauthorized actions in the context of a user's session. This may aid in other attacks.
The attacker can exploit the cross-site scripting issue to execute arbitrary script code in the context of the vulnerable site, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible.
Versions prior to ShareThis 7.x-2.2 are vulnerable.
The ShareThis module for Drupal is prone to a cross-site request-forgery vulnerability and a cross-site scripting vulnerability.
An attacker can exploit the cross-site request-forgery issue to perform unauthorized actions in the context of a user's session. This may aid in other attacks.
The attacker can exploit the cross-site scripting issue to execute arbitrary script code in the context of the vulnerable site, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible.
Versions prior to ShareThis 7.x-2.2 are vulnerable.
Exploit / POC
Drupal ShareThis Module Cross Site Request Forgery and Cross Site Scripting Vulnerabilities
An attacker must trick an unsuspecting victim into following a malicious URI to exploit these issues.
An attacker must trick an unsuspecting victim into following a malicious URI to exploit these issues.
Solution / Fix
Drupal ShareThis Module Cross Site Request Forgery and Cross Site Scripting Vulnerabilities
Solution:
Updates are available. Please see the references for details.
Drupal ShareThis 7.x-2.1
Solution:
Updates are available. Please see the references for details.
Drupal ShareThis 7.x-2.1
-
Drupal sharethis 7.x-2.2
http://drupal.org/node/1294176 -
Drupal sharethis 7.x-2.3
http://drupal.org/node/1504746
References
Drupal ShareThis Module Cross Site Request Forgery and Cross Site Scripting Vulnerabilities
References:
References:
- Drupal Homepage (Drupal)
- SA-CONTRIB-2012-049 - ShareThis - Multiple Vulnerablies (Drupal)
- ShareThis Homepage (Drupal)