Contact Us
Network Security Consulting Advisories Article

Drupal Cool aid Module Cross Site Scripting and Access Security Bypass Vulnerabilities

Security Info

Bugtraq ID: 52232
Class: Unknown
Remote: Yes
Local: No
Published: Feb 29 2012 12:00AM
Updated: Feb 29 2012 12:00AM
Credit: Ivo Van Geertruyen
Vulnerable: Drupal Cool aid 6.X-1.4
Drupal Cool aid 6.X-1.3
Drupal Cool aid 6.X-1.2
Drupal Cool aid 6.X-1.1
Drupal Cool aid 6.X-1.0
Not Vulnerable: Drupal Cool aid 6.x-1.9
Drupal Cool aid 6.x-1.8
Drupal Cool aid 6.X-1.7
Drupal Cool aid 6.X-1.6

Security Discussion

The Cool aid module for Drupal is prone to a cross-site scripting vulnerability and a security-bypass vulnerability.

An attacker can exploit the cross-site scripting issue to execute arbitrary script code in the context of the vulnerable site, potentially allowing the attacker to steal cookie-based authentication credentials.

Attackers can exploit the security bypass issue to bypass security restrictions, obtain sensitive information, or perform unauthorized actions; this may aid in launching further attacks.

Other attacks are also possible.

Cool aid 6.x-1.x versions prior to 6.x-1.6 are vulnerable.

Proof of Concept and Security Exploits

Attackers can use a browser to exploit the security-bypass issue. To exploit cross-site scripting vulnerability attackers must trick an unsuspecting victim into following a malicious URI.

Security Solution(s)

Updates are available. Please see the references for details.

Security References(s)


Contact Us

Security Penetration Testing

Security Questions

Security Dashboard

Emagined Security Blog featuring Dr. Eugene Schultz
Site Updated March 29, 2015
©2000-2015 Emagined Security
All Rights Reserved

Secure Web Programming
by Vizual Services