Contact Us
SECURITY BLOG SECURITY DASHBOARD PARTNERS PRODUCTS JOBS SERVICES COMPANY HOME
Network Security Consulting Advisories Article

Drupal Cool aid Module Cross Site Scripting and Access Security Bypass Vulnerabilities

http://www.securityfocus.com/bid/52232

Security Info

Bugtraq ID: 52232
Class: Unknown
CVE:
Remote: Yes
Local: No
Published: Feb 29 2012 12:00AM
Updated: Feb 29 2012 12:00AM
Credit: Ivo Van Geertruyen
Vulnerable: Drupal Cool aid 6.X-1.4
Drupal Cool aid 6.X-1.3
Drupal Cool aid 6.X-1.2
Drupal Cool aid 6.X-1.1
Drupal Cool aid 6.X-1.0
Not Vulnerable: Drupal Cool aid 6.x-1.9
Drupal Cool aid 6.x-1.8
Drupal Cool aid 6.X-1.7
Drupal Cool aid 6.X-1.6

Security Discussion

The Cool aid module for Drupal is prone to a cross-site scripting vulnerability and a security-bypass vulnerability.

An attacker can exploit the cross-site scripting issue to execute arbitrary script code in the context of the vulnerable site, potentially allowing the attacker to steal cookie-based authentication credentials.

Attackers can exploit the security bypass issue to bypass security restrictions, obtain sensitive information, or perform unauthorized actions; this may aid in launching further attacks.

Other attacks are also possible.

Cool aid 6.x-1.x versions prior to 6.x-1.6 are vulnerable.

Proof of Concept and Security Exploits

Attackers can use a browser to exploit the security-bypass issue. To exploit cross-site scripting vulnerability attackers must trick an unsuspecting victim into following a malicious URI.

Security Solution(s)

Solution:
Updates are available. Please see the references for details.

Security References(s)

References:

Contact Us

Security Penetration Testing

Security Questions

Security Dashboard

Emagined Security Blog featuring Dr. Eugene Schultz
Site Updated April 16, 2014
©2000-2014 Emagined Security
All Rights Reserved

Secure Web Programming
by Vizual Services