Posted by pfortuna on May 10, 2010 at 8:41pm
A researcher has uncovered a potentially serious vulnerability in the open-source content management system used by the White House website and thousands of other sites.
The XSS, or cross-site scripting, bug resides in the Drupal Context module, a plug-in that Whitehouse.gov and about 10,000 other sites use to manage how content is viewed on their sites. According to an advisory published Monday by researcher Justin Klein Keane, the flaw allows attackers to inject malicious scripts into login pages that will reset the site's administrative password.
http://www.theregister.co.uk/2010/05/10/drupal_security_bug/
Comments
Check out this post by
Check out this post by @greggles that walks through the issue and how to address it on your site http://crackingdrupal.com/blog/greggles/mitigation-against-cve-2010-1584... . I would also add that this problem has been slightly overblown by people that are not quite up to speed with Drupal security best practices. The likelyhood of this actually being exploited on whitehouse.gov are slim to none in my opinion. The silver lining is that this actually highlights the advantages of open source.
Bob Kepford
TheWeeklyDrop.com
BobKepford.com
Overblown is correct
It is only an exploit if
"Mitigating factors: In order to execute arbitrary script injection malicious users must have 'Administer blocks' permission."
Yeah, that permission is not doled out often.
Plus, this is already fixed in the latest release, just hours after it was reported: http://drupal.org/node/795118
Drupal evangelist.
www.CoderintheRye.com