Overview
» IDS/IPS Signatures
Security Sites
Products
White Papers
Data Sheets
Case Studies
Support Login
Locate a Partner
iPolicy Networks Security Advisory
 

Drupal Database Administration Module XSS and Request Forgery Vulnerability
Date Discovered: 04/22/2007
Severity: High
Application Affected Drupal Database administration module 4.6.x-*
Drupal Database administration module 4.7.x-1.* before version 4.7.x-1.2.
Synopsis
Drupal Database administration module is vulnerable to the cross site scripting attack. A remote attacker can run arbitrary scripting code by exploiting this vulnerability.
Recommended Actions
Vendor has fixed this issue in new version of the application.
http://drupal.org/node/135549
Threat Analysis
Drupal allows an individual or a community of users to easily publish, manage and organize a wide variety of content on a website. The database administration module of Drupal allows site administrator with sufficient privilege to view and directly modify the Drupal database tables for a site. There are some vulnerabilities find in this module that causes cross-site scripting attack, vulnerabilities were discovered when the administrator runs queries to display data from the database, and in other parts of the user interface.

The vulnerability is due to the improper sanity check performed by dba module on the result of various database queries before returning them to the user. Also, dba module does not fully port to the Drupal Form API, so there are places in the code that are vulnerable to cross-site request forgery attacks.

Successful exploitation allows the remote attacker to run arbitrary scripting code in privilege mode.
References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2160
http://secunia.com/advisories/24848

Write-up by: Vikrant
Security Sites
 
“iPolicy is one of the most visionary firewall vendors in the firewall Magic Quadrant. Its architecture of a central session processing engine and multiple content blades that are able to block based on signatures, rules and so on is the closest to the network security ideal.”
 
Greg Young, John Pescatore
Magic Quadrant for Network Firewalls, 2H04, Gartner
 

 
Home | About Us | Products | Technology | Solutions | Support | Partners | News & Events | Resources | Contact Us
Copyright ©2009 iPolicy Networks - Security Products Division of Tech Mahindra Limited | Privacy Policy | Site Map