Drupal’s popular open source web content management system ranks third behind WordPress and Joomla, and is used by many organizations including The Economist, Harvard University, Tesla Motors, Pfizer, the Australian government, and The White House.
Despite its popularity and sturdy reputation, it was discovered recently that Drupal 8.0.x is susceptible to cross-site scripting (XSS) vulnerability.
Good and Bad News
The not-so good news is that there is no official patch for this vulnerability yet as of this writing.
Internet Explorer 8
The reason the vulnerability works with Internet Explorer 8, is that it’s a forgiving browser, that “autocorrects” a syntax error where
` is used instead of
‘. By doing so, an attacker can use
` to terminate a string, and start writing code which will be rendered and executed on the client’s browser.
The vulnerability was published by Rafay Baloch, a security researcher from Pakistan. Drupal’s XSS filter does not filter the
` character, which allows an attacker to run payloads with a
` delimiting the script from the text, specifically in the autocomplete module of Drupal.
So What Can Attackers Do?
• Hijack session cookies and gain access to user sessions and accounts.
• Operate a browser keylogger, which sends user keystrokes to the attacker.
• Turn the user into a temporary bot to help execute attacks, such as DDoS, on other sites.
Escaping the inputs sanitizes the content and attempts to execute code that are either blocked or deleted. However, this goes to show that even on such a popular application, such flaws exists, which is why in order to secure the websites, using a layered approach with a web application firewall on top of the application layer validation is crucial.
If you have comments for us, we’d love to hear them or email us your questions.