Information Assurance

Matthew


front | classes | research | personal | contact

Information Assurance

Bugtraq and Websecurity Analysis

Drupal 6 XSS Vulnerability

IE 6 DoS

Dark Home Attack

back to bugtraq analyses page

On November 9th there were two related bugs discussed in bugtraq issue 2437. The first is a Drupal 6 bug that allowed for cross-site scripting attacks. The second is an Internet Explorer 6 vulnerability in which Javascript can be used in a DoS attack against the end user.

There are several flavors of XSS attacks, an attack method that comprised 80% of all security vulnerabilities documented by Symantec in 2007. The main differences come from whether or not an attack is persistent and whether or not it uses DOM access.

Non-persistent attacks generally involve altering the values of a submitted HTML form so that if the server generates content from said form without sanitizing the response, a victim's browser will display a malicious login form or execute malicious Javascript code. A great interactive demo of a non-persistent XSS attack can be found here. Victims generally must be linked directly to malicious pages and are used to steal passwords, cookies, and personal information.

Persistent XSS attacks involve posting content to a server that is displayed to other users (such as a Facebook wall post or message). These attacks are also use to steal passwords, cookies, and personal information. Because users do not need to be linked directly to a page with malicious content, everyone with the privileges to access a page that displays malicious content can become a victim.

Some attacks display the malicious content in the page location specified by the server, but a more crafty and successful method is to alter the DOM using Javascript. Thus, instead of creating a new form to steal a user's password, it is possible to alter the current form's action value or use AJAX to send a personal message containing sensitive information contained in a form upon submission of the form without altering the flow of the website by loading a middleman page.

The vulnerability in question is a persistent XSS vulnerability that allows DOM access because users can post content in a form containing malicious Javascript code in a Drupal 6 forum. The IE6 DoS vulnerability could be used in tandem with this code to DoS the end users of a website in two different ways. IE6 users with Javascript enabled who view a page with the malicious Javascript code will be unable to click on links, close the browser, or use any of the menus typically available to them. The only way to close the browser is by killing the process in the task manager.

These two attacks could be used to create a non-persistent (used in a different manner than above) attack against the end user. By creating forum posts with the malicious Javascript code the users who view the exploited forum pages will be unable to use their browsers to continue viewing the site.

It can also be used to create a persistent attack by altering the DOM elements of a "Make this site my homepage" or "Bookmark this page" link. When the user clicks one of the links mentioned, they could actually be tricked into setting a different webpage to their homepage. Then, every time they open IE they will open a page that will initiate a DoS attack. There is no way to break the cycle short of altering the registry.

There are several ways to mitigate these attack both as server administrators and end users. Server administrators can sanitize all output by forcing content type, whitelisting acceptable HTML elements or blacklisting unacceptable elements, or sandboxing Javascript like Facebook if allowing Javascript code is necessary. As an end user, you can upgrade your browser to a post-flood version or switch to Chrome, Safari, or FireFox.